Cryptographic system, re-encryption key generation device, re-encryption device, cryptographic method, and cryptographic program

ABSTRACT

It is an object to implement a functional proxy re-encryption scheme. A decryption device  300  transmits to a re-encryption device  400  a decryption key k* rk  which is generated by converting, using conversion information W 1 , a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other, and encrypted conversion information ψ rk  which is generated by encrypting the conversion information W 1  with one of attribute information x′ and attribute information v′ corresponding to each other being set. The re-encryption device  400  generates a re-encrypted ciphertext CT, constituted by a ciphertext c renc  which is generated by setting at least one of additional information H and additional information Θ corresponding to each other in a ciphertext c enc  in which is set the other one of the attribute information x and the attribute information v, and a decryption key k* renc  which is generated by setting at least the other one of the additional information H and the additional information Θ in the decryption key k* rk .

TECHNICAL FIELD

The present invention relates to functional proxy re-encryption (FPRE).

BACKGROUND ART

Proxy re-encryption (PRE) is a system which allows decryption rights for ciphertexts to be delegated to third parties without decrypting the ciphertexts. Non-Patent Literature 1 discusses an identity-based PRE (IBPRE) scheme. Non-Patent Literature 2 discusses an attribute-based PRE (ABPRE) scheme. According to the PRE scheme discussed in Non-Patent Literature 2, only attributes consisting of AND and negative elements can be specified for ciphertexts.

Patent Literature 1 discusses functional encryption (FE).

CITATION LIST Patent Literature

-   Patent Literature 1: JP 2012-133214 A

Non-Patent Literature

-   Non-Patent Literature 1: M. Green, and G. Ateniese, Identity-Based     Proxy Re-encryption. In Applied Cryptography and Network Security.     volume 4521 of LNCS, pp 288-306, 2007. -   Non-Patent Literature 2: Xiaohui Liang, Zhenfu Cao, Huang Lin, Jun     Shao. Attribute based proxy re-encryption with delegating     capabilities. ASIA CCS 2009 pp. 276-286. -   Non-Patent Literature 3: Okamoto, T Takashima, K.: Decentralized     Attribute-Based Signatures. ePrint http://eprint.iacr.org/2011/701 -   Non-Patent Literature 4: Okamoto, T Takashima, K.: Fully Secure     Unbounded Inner-Product and Attribute-Based Encryption. ePrint     http://eprint.iacr.org/2012/671 -   Non-Patent Literature 5: Okamoto, T., Takashima, K.: Achieving Short     Ciphertexts or Short Secret-Keys for Adaptively Secure General     Inner-Product Encryption. CANS 2011, LNCS, vol. 7092, pp. 138-159     Springer Heidelberg (2011)

SUMMARY OF INVENTION Technical Problem

There has been no implementation of an FPRE scheme.

For PRE schemes that have been implemented, there has been a problem, which is that third parties to whom delegation is possible with a single re-encryption key are limited to only a single user or users having very restricted attributes.

It is an object of the present invention to provide a PRE scheme which allows flexible selection of third parties to whom delegation is possible with a single re-encryption key.

Solution to Problem

A cryptographic system according to the present invention implements a proxy re-encryption function in a cryptographic scheme according to which when two pieces of information correspond to each other, a ciphertext in which is set one of the two pieces of information can be decrypted with a decryption key in which is set the other one of the two pieces of information, and includes a re-encryption key generation device and a re-encryption device,

wherein the re-encryption key generation device includes

a decryption key k*^(rk) generation part that generates a decryption key k*^(rk) by converting, using conversion information W₁, a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other;

a conversion information W₁ encryption part that generates encrypted conversion information ψ^(rk) by encrypting the conversion information W₁ with one of attribute information x′ and attribute information v′ corresponding to each other being set; and

a re-encryption key transmission part that transmits to the re-encryption device the decryption key k*^(rk) and the encrypted conversion information ψ^(rk), as a re-encryption key rk; and

wherein the re-encryption device includes

a ciphertext receiving part that receives a ciphertext c^(enc) in which is set the other one of the attribute information x and the attribute information v;

a ciphertext c^(renc) generation part that generates a ciphertext c^(renc) by setting at least one of additional information H and additional information Θ corresponding to each other in the ciphertext c^(enc) received by the ciphertext receiving part;

a decryption key k*^(renc) generation part that generates a decryption key k*^(renc) by setting at least the other one of the additional information H and the additional information Θ in the decryption key k*^(rk) included in the re-encryption key rk; and

a re-encrypted ciphertext transmission part that transmits the ciphertext c^(renc), the decryption key k*^(renc), and the encrypted conversion information ψ^(rk), as a re-encrypted ciphertext CT.

Advantageous Effects of Invention

A cryptographic system according to the present invention can implement an FPRE scheme. Thus, a single re-encryption key can be used to forward a ciphertext to a set of various types of users. Specifically, a general non-monotonic access structure can be embedded in a re-encryption key, allowing flexible forwarding settings without restrictions on forwarding destination users.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is an explanatory drawing of a matrix M̂;

FIG. 2 is an explanatory drawing of a matrix M_(δ);

FIG. 3 is an explanatory drawing of s₀;

FIG. 4 is an explanatory drawing of s^(→T);

FIG. 5 is a configuration diagram of a cryptographic processing system 10 that implements a CP-FPRE scheme;

FIG. 6 is a functional block diagram illustrating the function of a key generation device 100;

FIG. 7 is a functional block diagram illustrating the function of an encryption device 200;

FIG. 8 is a functional block diagram illustrating the function of a decryption device 300;

FIG. 9 is a functional block diagram illustrating the function of a re-encryption device 400;

FIG. 10 is a functional block diagram illustrating the function of a re-encrypted ciphertext decryption device 500;

FIG. 11 is a flowchart illustrating the process of a Setup algorithm;

FIG. 12 is a flowchart illustrating the process of a KG algorithm;

FIG. 13 is a flowchart illustrating the process of an Enc algorithm;

FIG. 14 is a flowchart illustrating the process of an RKG algorithm;

FIG. 15 is a flowchart illustrating the process of an REnc algorithm;

FIG. 16 is a flowchart illustrating the process of a Dec1 algorithm;

FIG. 17 is a flowchart illustrating the process of a Dec2 algorithm;

FIG. 18 is a configuration diagram of a cryptographic processing system 10 that implements a KP-FPRE scheme;

FIG. 19 is a functional block diagram illustrating the function of a key generation device 100;

FIG. 20 is a functional block diagram illustrating the function of an encryption device 200;

FIG. 21 is a functional block diagram illustrating the function of a decryption device 300;

FIG. 22 is a functional block diagram illustrating the function of a re-encryption device 400;

FIG. 23 is a functional block diagram illustrating the function of a re-encrypted ciphertext decryption device 500;

FIG. 24 is a flowchart illustrating the process of a KG algorithm;

FIG. 25 is a flowchart illustrating the process of an Enc algorithm;

FIG. 26 is a flowchart illustrating the process of an RKG algorithm;

FIG. 27 is a flowchart illustrating the process of an REnc algorithm;

FIG. 28 is a flowchart illustrating the process of a Dec1 algorithm;

FIG. 29 is a flowchart illustrating the process of a Dec2 algorithm; and

FIG. 30 is a diagram illustrating an example of a hardware configuration of the key generation device 100, the encryption device 200, the decryption device 300, the re-encryption device 400, and the re-encrypted ciphertext decryption device 500.

DESCRIPTION OF EMBODIMENTS

Embodiments of the present invention will be described hereinafter with reference to the accompanying drawings.

In the following description, a processing device is a CPU 911 or the like to be described later. A storage device is a ROM 913, a RAM 914, a magnetic disk 920 or the like to be described later. A communication device is a communication board 915 or the like to be described later. An input device is a keyboard 902, the communication board 915 or the like to be described later. That is, the processing device, the storage device, the communication device, and the input device are hardware.

Notations to be used in the following description will be described.

When A is a random variable or distribution, Formula 101 denotes that y is randomly selected from A according to the distribution of A. That is, y is a random number in Formula 101.

$\begin{matrix} {y\overset{R}{}A} & \left\lbrack {{Formula}\mspace{14mu} 101} \right\rbrack \end{matrix}$

When A is a set, Formula 102 denotes that y is uniformly selected from A. That is, y is a uniform random number in Formula 102.

$\begin{matrix} {y\overset{U}{}A} & \left\lbrack {{Formula}\mspace{14mu} 102} \right\rbrack \end{matrix}$

Formula 103 denotes that y is a set defined or substituted by z.

y:=z  [Formula 103]

When a is a fixed value, Formula 104 denotes that a machine (algorithm) A outputs a on input x.

A(x)→a  [Formula 104]

For example,

A(x)→1

Formula 105, namely F_(q), denotes a finite field of order q.

_(q)  [Formula 105]

A vector symbol denotes a vector representation over the finite field F_(q), as indicated in Formula 106.

[Formula 106]

{right arrow over (x)} denotes

(x ₁ , . . . ,x _(n))ε

_(q) ^(n).

Formula 107 denotes that the inner-product, indicated in Formula 109, of two vectors x^(→) and v^(→) indicated in Formula 108.

{right arrow over (x)}·{right arrow over (v)}  [Formula 107]

{right arrow over (x)}=(x ₁ , . . . ,x _(n)),

{right arrow over (v)}=(v ₁ , . . . ,v _(n))  [Formula 108]

Σ_(i=1) ^(n) x _(i) v _(i)  [Formula 109]

Note that X^(T) denotes the transpose of a matrix X.

For a basis B and a basis B* indicated in Formula 110, Formula 111 is established.

:=(b ₁ , . . . ,b _(N)),

:=(b* ₁ , . . . ,b* _(N))  [Formula 110]

(x ₁ , . . . ,x _(N)

:=Σ_(i=1) ^(N) x _(i) b _(i),

(y ₁ , . . . ,y _(N)

*:=Σ_(i=1) ^(N) y _(i) b* _(i)[Formula 111]

Note that e^(→) _(j) denotes an orthonormal basis vector indicated in Formula 112.

$\begin{matrix} {{{{{\overset{\rightarrow}{e}}_{j}\text{:}\mspace{11mu} \left( {{\overset{\overset{j - 1}{}}{{0\mspace{11mu} \ldots \mspace{11mu} 0},}\mspace{11mu} 1},\overset{\overset{n - j}{}}{0\mspace{11mu} \ldots \mspace{11mu} 0}} \right)} \in {_{q}^{n}\mspace{14mu} {for}\mspace{14mu} j}} = 1},\ldots \mspace{14mu},n,} & \left\lbrack {{Formula}\mspace{14mu} 112} \right\rbrack \end{matrix}$

In the following description, when “Vt”, “nt”, “ut”, and “zt” are each represented as a subscript or superscript, these Vt, nt, ut and, zt respectively denote V_(t), n_(t), u_(t), and z_(t). Likewise, when “δi,j” is represented as a superscript, this δi,j denotes δ_(i,j).

When “→” denoting a vector is attached to a subscript or superscript, it is meant that this “→” is attached as a superscript to the subscript or superscript.

In the following description, cryptographic processes include a key generation process, an encryption process, a re-encryption key generation process, a re-encryption process, a decryption process, and a re-encrypted ciphertext decryption process.

Embodiment 1

This embodiment describes a basic concept for implementing an FPRE scheme, and then describes a structure of the FPRE scheme according to this embodiment.

First, FPRE will be briefly described.

Second, a space having a rich mathematical structure called “dual pairing vector spaces (DPVS)” which is a space for implementing the FPRE scheme will be described.

Third, a concept for implementing the FPRE scheme will be described. Here, a span program, an inner-product of attribute vectors and an access structure, and a secret distribution scheme (secret sharing scheme) will be described.

Fourth, the FPRE scheme according to this embodiment will be described. In this embodiment, a ciphertext-policy FPRE scheme (CP-FPRE) scheme will be described. First, a basic structure of the CP-FPRE scheme will be described. Then, a basic configuration of a cryptographic processing system 10 that implements the CP-FPRE scheme will be described. Then, items used for implementing the CP-FPRE scheme will be described. Then, the CP-FPRE scheme and the cryptographic processing system 10 according to this embodiment will be described in detail.

<1. FPRE>

FPRE is a proxy re-encryption scheme which provides more sophisticated and flexible relations among an encryption key (ek), a decryption key (dk), and a re-encryption key (rk).

FPRE has the following two properties. First, attribute information x and attribute information v are respectively set in an encryption key and a decryption key. If and only if a relation R(x, v) holds, a decryption key dk_(v) can decrypt a ciphertext encrypted with an encryption key ek_(x). Second, in addition to the attribute information x and the attribute information v being respectively set in the encryption key and the decryption key, two pieces of attribute information (x′, v) are set in a re-encryption key. If and only if R(x, v) holds, a re-encryption key rk_((x′,v)) can transform a ciphertext encrypted with the encryption key ek_(x) to a ciphertext which can be decrypted with a decryption key dk_(v′) with which R(x′, v′) holds, that is, to a ciphertext encrypted with an encryption key ek_(x′).

In a case where R(x, v) holds if and only if a relation R is an equality relation, i.e., x=v, this PRE scheme is IDPRE.

ABPRE is available as more generalized PRE than IDPRE. In ABPRE, attribute information which is set in an encryption key and attribute information which is set in a decryption key are each a set of attribute information. For example, the attribute information which is set in the encryption key is X:=(x₁, . . . , x_(d)), and the attribute information which is set in the decryption key is V:=(v₁, . . . , v_(d)).

An equality relation for each pair of components of the attribute information (for example, {x_(t)=v_(t)}tε{1, . . . , d}) is inputted to an access structure S, and R(X, V) holds if and only if the access structure accepts this input. That is, a ciphertext encrypted with the encryption key can be decrypted with the decryption key. Non-Patent Literature 2 proposes a ciphertext-policy PRE scheme according to which an access structure S is embedded in a ciphertext. The access structure in this case consists of only AND and negative elements.

There is ordinary FE in which a ciphertext forwarding function does not exist, that is, a re-encryption key does not exist. In FE, a re-encryption key and a re-encryption process do not exist, and attribute information x and attribute information v are respectively set in an encryption key and a decryption key. If and only if a relation R(x, v) holds, a decryption key dk_(v):=(dk, v) can decrypt a ciphertext encrypted with an encryption key ek_(x):=(ek, x).

<2. Dual Pairing Vector Spaces>

First, symmetric bilinear pairing groups will be described.

Symmetric bilinear pairing groups (q, G, G^(T), g, e) are a tuple of a prime q, a cyclic additive group G of order q, a cyclic multiplicative group G^(T) of order q, g≠0εG, and a polynomial-time computable nondegenerate bilinear pairing e:G×G→G_(T). The nondegenerate bilinear pairing signifies e(sg, tg)=e(g, g)^(st), and e(g, g)≠1.

In the following description, let G_(bpg) be an algorithm that takes as input 1^(λ) and outputs values of a parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups with a security parameter λ.

Dual pairing vector spaces will now be described.

Dual pairing vector spaces (q, V, G_(T), A, e) can be constructed by a direct product of the symmetric bilinear pairing groups (param_(G):=(q, G, G_(T), g, e)). The dual pairing vector spaces (q, V, G_(T), A, e) are a tuple of a prime q, an N-dimensional vector space V over F_(q) indicated in Formula 113, a cyclic group G_(T) of order q, and a canonical basis A:=(a₁, . . . , a_(N)) of the space V, and have the following operations (1) and (2), where a_(i) is as indicated in Formula 114.

$\begin{matrix} {\text{:=}\mspace{14mu} \overset{\overset{N}{}}{ \times \ldots \times }} & \left\lbrack {{Formula}\mspace{14mu} 113} \right\rbrack \\ {a_{i}\text{:=}\mspace{14mu} \left( {\overset{\overset{i - 1}{}}{0,\ldots,\mspace{14mu} 0},g,\overset{\overset{N - i}{}}{0,\ldots,\mspace{14mu} 0}} \right)} & \left\lbrack {{Formula}\mspace{14mu} 114} \right\rbrack \end{matrix}$

Operation (1): Nondegenerate Bilinear Pairing

A pairing in the space V is defined by Formula 115.

e(x,y):=Π_(i=1) ^(N) e(G _(i) ,H _(i))ε

_(T)  [Formula 115]

where

(G ₁ , . . . ,G _(N)):=xε

,

(H ₁ , . . . ,H _(N)):=yε

.

This is nondegenerate bilinear, that is, e(sx, ty)=e(x, y)^(st) and if e(x, y)=1 for all yεV, then x=0. For all i and j, e(a_(i), a_(j))=e(g, g)^(δi,j), where δ_(i,j)=1 if i=j, and δ_(i,j)=0 if i≠j, and e(g, g)≠1εG_(T).

Operation (2): Distortion Maps

Linear transformations φ_(i,j) on the space V indicated in Formula 116 can achieve Formula 117.

$\begin{matrix} {{{{if}\mspace{14mu} {\varphi_{i,j}\left( a_{j} \right)}} = {{a_{i}\mspace{14mu} {and}\mspace{14mu} k} \neq j}},{{{then}\mspace{14mu} {\varphi_{i,j}\left( a_{k} \right)}} = 0.}} & \left\lbrack {{Formula}\mspace{14mu} 116} \right\rbrack \\ {{{\varphi_{i,j}(x)}\text{:=}\mspace{20mu} \left( {\overset{\overset{i - 1}{}}{0,\ldots,\mspace{14mu} 0},g_{j},\overset{\overset{N - i}{}}{0,\ldots,\mspace{14mu} 0}} \right)}\text{}{{{where}\left( {g_{1},{\ldots \mspace{11mu} g_{N}}} \right)}\text{:=}\mspace{14mu} {x.}}} & \left\lbrack {{Formula}\mspace{14mu} 117} \right\rbrack \end{matrix}$

The linear transformations φ_(i,j) will be called distortion maps.

In the following description, let G_(dpvs) be an algorithm that takes as input 1^(λ) (λ ε natural number), Nε natural number, and values of a parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups, and outputs values of a parameter param_(V):=(q, V, G_(T), A, e) of dual pairing vector spaces with a security parameter λ and an N-dimensional space V.

Description will be directed herein to a case where the dual pairing vector spaces are constructed using the above-described symmetric bilinear pairing groups. The dual pairing vector spaces can also be constructed using asymmetric bilinear pairing groups. The following description can easily be adapted to a case where the dual pairing vector spaces are constructed using asymmetric bilinear pairing groups.

<3. Concept for Implementing FPRE Scheme>

<3-1. Span Program>

FIG. 1 is an explanatory drawing of a matrix M̂.

Let {p₁, . . . , p_(n)} be a set of variables. M̂:=(M, ρ) is a labeled matrix. The matrix M is an (L rows×r columns) matrix over F_(q), and ρ is a label of columns of the matrix M and is related to one of literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. A label ρ_(i) (i=1, . . . , L) of each row of M is related to one of the literals. That is, ρ:{1, . . . , L}→{p_(i), . . . , p_(n),

p₁, . . . ,

p_(n)}.

For every input sequence δ ε{0, 1}^(n), a submatrix M_(δ) of the matrix M is defined. The matrix M_(δ) is a submatrix consisting of those rows of the matrix M the labels ρ of which are related to a value “1” by the input sequence δ. That is, the matrix M_(δ) is a submatrix consisting of the rows of the matrix M which are related to p_(i) such that δ_(i)=1 and the rows of the matrix M which are related to

p_(i) such that δ_(i)=0.

FIG. 2 is an explanatory drawing of the matrix M_(δ). In FIG. 2, note that n=7, L=6, and r=5. That is, the set of variables is {p₁, . . . , p₇}, and the matrix M is a (6 rows×5 columns) matrix. In FIG. 2, assume that the labels ρ are related such that ρ₁ is related to

p₂, ρ₂ to p₁, ρ₃ to p₄, ρ₄ to

p₅, ρ₅ to

p₃, and ρ₆ to p₅.

Assume that in an input sequence δε{0, 1}⁷, δ₁=1, δ₂=0, δ₃=1, δ₄=0, δ₅=0, δ₆=1, and δ₇=1. In this case, a submatrix consisting of the rows of the matrix M which are related to literals (p₁, p₃, p₆, p₇,

p₂,

p₄,

p₅) surrounded by broken lines is the matrix M_(δ). That is, the submatrix consisting of the first row (M₁), second row (M₂), and fourth row (M₄) of the matrix M is the matrix M_(δ).

In other words, when map γ:{1, . . . , L}→{0, 1} is [ρ(j)=p_(i)]̂[δ_(i)=1] or [ρ(j)=

p_(i)]̂[δ_(i)=0], then γ(j)=1; otherwise γ(j)=0. In this case, M_(δ):=(M_(j))_(γ(j)=1). Note that M_(j) is the j-th row of the matrix M.

That is, in FIG. 2, map γ(j)=1 (j=1, 2, 4), and map γ(j)=0 (j=3, 5, 6). Hence, (M_(j))_(γ(j)=1) is M₁, M₂, and M₄, and is the matrix M_(δ).

More specifically, whether or not the j-th row of the matrix M is included in the matrix M_(δ) is determined by whether the value of the map γ(j) is “0” or “1”.

The span program M̂accepts an input sequence δ if and only if 1^(→)ε span<M_(δ)>, and rejects the input sequence δ otherwise. That is, the span program M̂ accepts the input sequence δ if and only if linear combination of the rows of the matrix M_(δ) which are obtained from the matrix M̂ by the input sequence δ gives 1^(→). 1^(→) is a row vector which has a value “1” in each element.

For example, in FIG. 2, the span program M̂ accepts the input sequence δ if and only if linear combination of the respective rows of the matrix M_(δ) consisting of the first, second, and fourth rows of the matrix M gives 1^(→). That is, if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), the span program M̂ accepts the input sequence δ.

The span program is called monotone if its labels ρ are related to only positive literals {p₁, . . . , p_(n)}. The span program is called non-monotone if its labels ρ are

related to the literals {p₁, . . . , p_(n),

p₁, . . . ,

p_(n)}. It is assumed herein that the span program is non-monotone. An access structure (non-monotone access structure) is constructed using the non-monotone span program. Briefly, an access structure controls access to encryption, that is, it controls whether a ciphertext is to be decrypted or not.

As will be described in detail later, the span program being non-monotone, instead of being monotone, allows for a wider range of applications of the FPRE scheme constructed using the span program.

<3-2. Inner-Product of Attribute Information and Access Structure>

The above-described map γ(j) is computed using the inner-product of attribute information. That is, the inner-product of attribute information is used to determine which row of the matrix M is to be included in the matrix M_(δ).

U_(t) (t=1, . . . , d and U_(t) ⊂{0, 1}*) is a sub-universe and a set of attributes. Each U_(t) includes identification information (t) of the sub-universe and an n-dimensional vector (v^(→)). That is, U_(t) is (t, v^(→)), where tε{1, . . . , d} and v^(→)εF_(q) ^(n).

Let U_(t):=(t, v^(→)) be a variable p of the span program M̂:=(M, ρ). That is, p:=(t, v^(→)). Let the span program M̂:=(M, ρ) having the variable (p:=(t, v^(→)), (t, v′^(→)), . . . ) be an access structure S.

That is, the access structure S:=(M, ρ) and ρ:{1, . . . , L}→{(t, v^(→)), (t, v′^(→)), . . . ,

(t, v^(→)),

(t, v′^(→)), . . . }.

Let Γ be a set of attributes. That is, Γ:={(t, x^(→) _(t))|x^(→) _(t) εF_(q) ^(n), 1≦t≦d}.

When Γ is given to the access structure S, map γ:{1, . . . , L}→{0, 1} for the span program M̂:=(M, ρ) is defined as follows. For each integer i=1, . . . , L, set γ(j)=1 if [ρ(i)=(t, v^(→) _(i))]

[(t, x^(→) _(t))εΓ]

[v^(→) _(i)·x^(→) _(t)=0] or [ρ(i)=

(t, v^(→) _(i))]

[(t, x^(→) _(t))εΓ]

[v^(→) _(i)·x^(→) _(t)≠0]. Set γ(j)=0 otherwise.

That is, the map γ is computed based on the inner-product of the attribute information v^(→) and x^(→). As described above, which row of the matrix M is to be included in the matrix M_(δ) is determined by the map γ. More specifically, which row of the matrix M is to be included in the matrix M_(δ) is determined by the inner-product of the attribute information v^(→) and x^(→). The access structure S:=(M, ρ) accepts Γ if and only if 1^(→)ε span<(M_(i))_(γ(i)=1)>.

<3-3. Secret Distribution Scheme>

A secret distribution scheme for the access structure S:=(M, ρ) will be described.

The secret distribution scheme is distributing secret information to render it nonsense distributed information. For example, secret information s is distributed into 10 pieces to generate 10 pieces of distributed information. Each of the 10 pieces of distributed information does not have information on the secret information s. Hence, even when one of the pieces of distributed information is obtained, no information can be obtained on the secret information s. On the other hand, if all of the 10 pieces of distributed information are obtained, the secret information s can be recovered.

Another secret distribution scheme is also available according to which the secret information s can be recovered if some (for example, 8 pieces) of distributed information can be obtained, without obtaining all of the 10 pieces of distributed information. A case like this where the secret information s can be recovered using 8 pieces out of 10 pieces of distributed information will be called 8-out-of-10. That is, a case where the secret information s can be recovered using t pieces out of n pieces of distributed information will be called t-out-of-n. This t will be called a threshold.

Still another secret distribution scheme is available according to which when 10 pieces of distributed information d₁, . . . , d₁₀ are generated, the secret information s can be recovered with 8 pieces of distributed information d₁, . . . , d₈, but the secret information s cannot be recovered with 8 pieces of distributed information d₃, . . . , d₁₀. In other words, secret distribution schemes include a scheme according to which whether or not the secret information s can be recovered is controlled not only by the number of pieces of distributed information obtained, but also the combination of distributed information obtained.

FIG. 3 is an explanatory drawing of s₀. FIG. 4 is an explanatory drawing of s^(→T).

Let a matrix M be an (L rows×r columns) matrix. Let f^(→T) be a column vector indicated in Formula 118.

$\begin{matrix} {{\overset{\rightarrow}{f}}^{T}:={\left( {f_{1},{\ldots \mspace{14mu} f_{r}}} \right)^{T}\overset{U}{}_{q}^{r}}} & \left\lbrack {{Formula}\mspace{14mu} 118} \right\rbrack \end{matrix}$

Let s₀ indicated in Formula 119 be secret information to be shared.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T) :=Σk=1^(r) f _(k)  [Formula 119]

Let s^(→T) indicated in Formula 120 be a vector of L pieces of distributed information of s₀.

{right arrow over (s)} ^(T):=(s ₁ , . . . s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 120]

Let the distributed information s_(i) belong to ρ(i).

If the access structure S:=(M, ρ) accepts Γ, that is, 1^(→)ε span<(M_(i))_(γ(i)−1)> for γ:{1, . . . , L}→{0, 1}, then there exist constants {α_(i)εF_(q)|iεI} such that I⊂{iε{1, . . . , L}|γ(i)−=1}.

This is obvious from the explanation about the example of FIG. 2 that if there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), the span program M̂ accepts the input sequence δ. That is, if the span program M̂ accepts the input sequence δ when there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→), then there exist α₁, α₂, and α₄ with which α₁(M₁)+α₂(M₂)+α₄(M₄)=1^(→).

Note Formula 121.

Σ_(iεI)α_(i) s _(i) :=s ₀  [Formula 121]

Note that the constants {α_(i)}can be computed in time polynomial in the size of the matrix M.

With the FPRE scheme according to the following embodiments, an access structure is constructed by applying the inner-product predicate and the secret distribution scheme to the span program, as described above. Therefore, access control can be designed flexibly by designing the matrix M in the span program and the attribute information x and the attribute information v (predicate information) in the inner-product predicate. That is, access control can be designed very flexibly. Designing of the matrix M corresponds to designing of conditions such as a threshold of the secret distribution scheme.

For example, the attribute-based encryption scheme described above corresponds to a case where designing of the inner-product predicate is limited to a certain condition in the access structure in the FPRE scheme according to the following embodiments. That is, when compared to the access structure in the FPRE scheme according to the following embodiments, the access structure in the attribute-based encryption scheme has a lower flexibility in access control design because it lacks the flexibility in designing the attribute information x and the attribute information v (predicate information) in the inner-product predicate. More specifically, the attribute-based encryption scheme corresponds to a case where attribute information {x^(→) _(t)}_(tε{1, . . . , d}) and {v^(→) _(t)}_(tε{1, . . . , d}) are limited to two-dimensional vectors for the equality relation, for example, x^(→) _(t):=(1, x_(t)) and v^(→) _(t):=(v_(t), −1).

An inner-product predicate PRE scheme corresponds to a case where designing of the matrix M in the span program is limited to a certain condition in the access structure in the FPRE scheme according to the following embodiments. That is, when compared to the access structure in the FPRE scheme according to the following embodiments, the access structure in the inner-product predicate encryption scheme has a lower flexibility in access control design because it lacks the flexibility in designing the matrix M in the span program. More specifically, the inner-product predicate encryption scheme corresponds to a case where the secret distribution scheme is limited to 1-out-of-1 (or d-out-of-d).

In particular, the access structure in the FPRE scheme according to the following embodiments constitutes a non-monotone access structure that uses a non-monotone span program. Thus, the flexibility in access control designing improves.

More specifically, since the non-monotone span program includes a negative literal (

p), a negative condition can be set. For example, assume that First Company includes four departments, A, B, C, and D. Assume that access control is to be performed such that only users belonging to departments other than department B of First Company are capable of access (capable of decryption). In this case, if a negative condition cannot be set, a condition that “the user belongs to any one of departments A, C, and D of First Company” must be set. On the other hand, if a negative condition can be set, a condition that “the user is an employee of First Company and belongs to a department other than department B” can be set. In other words, since a negative condition can be set, natural condition setting is possible. Although the number of departments is small in this case, this scheme is very effective in a case where the number of departments is large.

<4. Basic Structure of FPRE Scheme>

<4-1. Basic Structure of CP-FPRE Scheme>

The structure of the CP-FPRE scheme will be briefly described. Note that CP (ciphertext policy) means that a policy, namely an access structure, is embedded in a ciphertext.

The CP-FPRE scheme consists of seven algorithms: Setup, KG, Enc, RKG, REnc, Dec1, and Dec2.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input a security parameter λ and an attribute format n^(→):=(d; n₁, . . . , n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and outputs a public parameter pk and a master key sk.

(KG)

A KG algorithm is a probabilistic algorithm that takes as input an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t) εF_(q) ^(nt), 1≦t≦d}, the public parameter pk, and the master key sk, and outputs a decryption key sk_(Γ).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input a message m, an access structure S=(M, ρ), and the public parameter pk, and outputs a ciphertext ct_(S).

(RKG)

An RKG algorithm is a probabilistic algorithm that takes as input the decryption key sk_(Γ), an access structure S′:=(M′, ρ′), and the public parameter pk, and outputs a re-encryption key rk_((Γ.S′)).

(REnc)

An REnc algorithm is a probabilistic algorithm that takes as input the ciphertext ct_(S), the re-encryption key rk_((Γ.S′)), and the public parameter pk, and outputs a re-encrypted ciphertext CT_(S′).

(Dec1)

A Dec1 algorithm is an algorithm that takes as input the re-encrypted ciphertext CT_(S′), the decryption key sk_(Γ′), and the public parameter pk, and outputs the message m or a distinguished symbol ⊥.

(Dec2)

A Dec2 algorithm is an algorithm that takes as input the ciphertext ct_(S), the decryption key sk_(Γ), and the public parameter pk, and outputs the message m or the distinguished symbol ⊥.

<4-2. Cryptographic Processing System 10>

The cryptographic processing system 10 that executes the algorithms of the CP-FPRE scheme will be described.

FIG. 5 is a configuration diagram of the cryptographic processing system 10 that implements the CP-FPRE scheme.

The cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300 (re-encryption key generation device), a re-encryption device 400, and a re-encrypted ciphertext decryption device 500.

The key generation device 100 executes the Setup algorithm taking as input a security parameter λ and an attribute format n^(→):=(d; n₁, . . . , n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and thus generates a public parameter pk and a master key sk.

Then, the key generation device 100 publishes the public parameter pk. The key generation device 100 also executes the KG algorithm taking as input an attribute set Γ, and thus generates a decryption key sk_(Γ), and transmits the decryption key sk_(Γ) to the decryption device 300 in secrecy. The key generation device 100 also executes the KG algorithm taking as input an attribute set Γ, and thus generates a decryption key sk_(Γ), and transmits the decryption key sk_(Γ), to the re-encrypted ciphertext decryption device 500 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input a message m, an access structure S, and the public parameter pk, and thus generates a ciphertext ct_(S). The encryption device 200 transmits the ciphertext ct_(S) to the re-encryption device 400.

The decryption device 300 executes the RKG algorithm taking as input the public parameter pk, the decryption key sk_(Γ), and an access structure S′, and thus generates a re-encryption key rk_((Γ.S′)). The decryption device 300 transmits the re-encryption key rk_((Γ.S′)) to the re-encryption device in secrecy.

The decryption device 300 also executes the Dec2 algorithm taking as input the public parameter pk, the decryption key sk_(Γ), and the ciphertext ct_(S), and outputs the message m or the distinguished symbol ⊥.

The re-encryption device 400 executes the REnc algorithm taking as input the public parameter pk, the re-encryption key rk_((Γ.S′)), and the ciphertext ct_(S), and thus generates a re-encrypted ciphertext CT_(S′). The re-encryption device 400 transmits the re-encrypted ciphertext CT_(S′) to the re-encrypted ciphertext decryption device 500.

The re-encrypted ciphertext decryption device 500 executes the Dec1 algorithm taking as input the public parameter pk, the decryption key sk_(Γ), the re-encrypted ciphertext CT_(S′) and outputs the message m or the distinguished symbol ⊥.

<4-3. Items Used to Implement CP-FPRE Scheme>

To implement the CP-FPRE scheme, ciphertext-policy functional encryption (CP-FE) and one-time signature are used. Since both are publicly known techniques, schemes to be used in the following description will be briefly described. An example of a CP-FE scheme is discussed in Patent Literature 1.

The CP-FE scheme consists of four algorithms: Setup_(CP-FE), KG_(CP-FE), EnC_(CP-FE), and Dec_(CP-FE)4.

(Setup_(CP-FE))

A Setup_(CP-FE) algorithm is a probabilistic algorithm that takes as input a security parameter λ and an attribute format n^(→):=(d; n₁, . . . , n_(d)), and outputs a public parameter pk^(CP-FE) and a master key sk^(CP-FE).

(KG_(CP-FE))

A KG_(CP-FE) algorithm is a probabilistic algorithm that takes as input an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t) εF_(q) ^(nt), 1≦t≦d}, the public parameter pk^(CP-FE), and the master key sk^(CP-FE), and outputs a decryption key sk_(Γ) ^(CP-FE).

(Enc_(CP-FE))

An Enc_(CP-FE) algorithm is a probabilistic algorithm that takes as input a message m, an access structure S=(M, ρ), and the public parameter pk^(CP-FE), and outputs a ciphertext ψ.

(Dec_(CP-FE))

A Dec_(CP-FE) algorithm is an algorithm that takes as input the ciphertext ψ, the decryption key sk_(Γ) ^(CP-FE), and the public parameter pk^(CP-FE), and outputs the message m or the distinguished symbol ⊥.

A one-time signature scheme consists of three algorithms: SigKG, Sig, and Ver.

(SigKG)

A SigKG algorithm is a probabilistic algorithm that takes as input a security parameter λ, and outputs a signature key sigk and a verification key verk.

(Sig)

A Sig algorithm is a probabilistic algorithm that takes as input the signature key sigk and a message m, and outputs a signature S.

(Ver)

A Ver algorithm is an algorithm that takes as input the verification key verk, the message m, and the signature S, and outputs 1 if the signature S is valid for the verification key verk and the message m and outputs 0 if not valid.

<4-4. CP-FPRE Scheme and Cryptographic Processing System 10 in Detail>

With reference to FIG. 6 through FIG. 17, the CP-FPRE scheme will be described, and the function and operation of the cryptographic processing system 10 that implements the CP-FPRE scheme will be described.

FIG. 6 is a functional block diagram illustrating the function of the key generation device 100. FIG. 7 is a functional block diagram illustrating the function of the encryption device 200. FIG. 8 is a functional block diagram illustrating the function of the decryption device 300. FIG. 9 is a functional block diagram illustrating the function of the re-encryption device 400. FIG. 10 is a functional block diagram illustrating the function of the re-encrypted ciphertext decryption device 500.

FIGS. 11 and 12 are flowcharts illustrating the operation of the key generation device 100. FIG. 11 is a flowchart illustrating the process of the Setup algorithm, and the FIG. 12 is a flowchart illustrating the process of the KG algorithm. FIG. 13 is a flowchart illustrating the operation of the encryption device 200 and illustrating the process of the Enc algorithm. FIG. 14 is a flowchart illustrating the operation of the decryption device 300 and illustrating the process of the RKG algorithm. FIG. 15 is a flowchart illustrating the operation of the re-encryption device 400 and illustrating the process of the REnc algorithm. FIG. 16 is a flowchart illustrating the operation of the re-encrypted ciphertext decryption device 500 and illustrating the process of the Dec1 algorithm. FIG. 17 is a flowchart illustrating the operation of the decryption device 300 and illustrating the process of the Dec2 algorithm.

The function and operation of the key generation device 100 will be described.

The key generation device 100 includes a master key generation part 110, a master key storage part 120, an information input part 130, a decryption key generation part 140, and a key transmission part 150. The decryption key generation part 140 includes a CP-FE key generation part 141, a random number generation part 142, and a decryption key k* generation part 143.

With reference to FIG. 11, the process of the Setup algorithm will be described.

(S101: Orthonormal Basis Generation Step)

Using the processing device, the master key generation part 110 computes Formula 122, and thus generates a parameter param_(n→), a basis B₀ and a basis B*₀, and a basis B_(t) and a basis B*_(t).

$\begin{matrix} {\mspace{79mu} {{{(1)\mspace{14mu} {input}\mspace{14mu} 1^{\lambda}},\overset{\rightarrow}{n}}\mspace{79mu} {{(2)\mspace{14mu} {param}_{}}:={\left( {q,,_{T},g,e} \right)\overset{R}{}{_{bpg}\left( 1^{\lambda} \right)}}}{{{(3)\mspace{14mu} N_{0}}:=7},{N_{t}:={{n_{t} + u_{t} + z_{t} + {1\mspace{14mu} {for}\mspace{14mu} t}} = 1}},\ldots \mspace{14mu},d,\mspace{79mu} {\psi \overset{U}{}_{q}^{\times}},{g_{T}:={e\left( {g,g} \right)}^{\psi}}}}} & \left\lbrack {{Formula}\mspace{14mu} 122} \right\rbrack \end{matrix}$

The process of (4) through (7) is executed for each integer t=0, . . . , d.

${{(4)\mspace{14mu} {param}_{_{t}}}:={\left( {q,,_{T},_{T},e} \right)\overset{R}{}{_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}}},{{(5)\mspace{14mu} X_{t}} = {\begin{pmatrix} {\overset{\rightarrow}{\chi}}_{t,1} \\ \vdots \\ {\overset{\rightarrow}{\chi}}_{t,N_{t}} \end{pmatrix}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}}},{{(6)\mspace{14mu} \begin{pmatrix} {\overset{\rightarrow}{v}}_{t,1} \\ \vdots \\ {\overset{\rightarrow}{v}}_{t,N_{t}} \end{pmatrix}}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},{{(7)\mspace{14mu} b_{t.i}}:={\sum\limits_{j = 1}^{N_{t}}{\chi_{t,i,j}a_{t,j}}}},{_{t}:=\left( {b_{t{.1}},\ldots \mspace{14mu},b_{t.N_{t}}} \right)},\mspace{40mu} {b_{t.i}^{*}:={\sum\limits_{j = 1}^{N_{t}}{v_{t,i,j}a_{t,j}}}},{_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.N_{t}}^{*}} \right)},{{(8)\mspace{14mu} {param}_{\overset{\rightarrow}{n}}}:=\left( {\left\{ {param}_{_{t}} \right\}_{{t = 0},\; \ldots \mspace{11mu},d},g_{T}} \right)}$

That is, the master key generation part 110 executes the following process.

-   -   (1) Using the input device, the master key generation part 110         takes as input a security parameter λ(1^(λ)) and an attribute         format n^(→):=(d; n₁, . . . , n_(d); u₁, . . . , u_(d); z₁, . .         . , z_(d)). Note that d is an integer of 1 or more, and that         n_(t) is an integer of 1 or more, and u_(t) and z_(t) are         integers of 0 or more, for each integer t=1, . . . , d.

(2) Using the processing device, the master key generation part 110 executes the algorithm G_(bpg) taking as input the security parameter λ inputted in (1), and thus generates values of a parameter param_(G):=(q, G, G_(T), g, e) of bilinear pairing groups.

(3) The master key generation part 110 sets 7 in N₀ and sets n_(t)+u_(t)+z_(t)+1 in N_(t) for each integer t=1, . . . , d. The master key generation part 110 also generates a random number ψ. The master key generation part 110 also sets e(G, G)^(ψ) in g_(T).

Then, the master key generation part 110 executes the following process (4) through (7) for each integer t=0, . . . , d.

-   -   (4) The master key generation part 110 executes the algorithm         G_(dpvs) taking as input the security parameter λ (1^(λ))         inputted in (1), N_(t) set in (3), and the values of         param_(G):=(q, G, G_(T), g, e) generated in (2), and thus         generates values of a parameter param_(Vt):=(q, V_(t), G_(T),         A_(t), e) of dual pairing vector spaces.

(5) The master key generation part 110 takes as input N_(t) set in (3) and F_(q), and randomly generates a linear transformation X_(t):=(χ_(t,i,j))_(i,j). Note that GL stands for general linear. In other words, GL is a general linear group, a set of square matrices with nonzero determinants, and a group under multiplication. Note that (χ_(t,i,j))_(i,j) denotes a matrix concerning the suffixes i and j of the matrix χ_(t,i,j), where i, j=1, . . . , N_(t).

(6) Based on the random number ψ and the linear transformation X_(t), the master key generation part 110 generates (ν_(t,i,j))_(i,j):=ψ·(X_(t) ^(T))⁻¹. Like (χ_(t,i,j))_(i,j), (ν_(t,i,j))_(i,j) denotes a matrix concerning the suffixes i and j of the matrix ν_(t,i,j,) where i, j=1, . . . , N_(t).

(7) Based on the linear transformation X_(t) generated in (5), the master key generation part 110 generates a basis B_(t) from the orthonormal basis A_(t) generated in (4). Based on (ν_(t,i,j))_(i,j) generated in (6), the master key generation part 110 generates a basis B*_(t) from the orthonormal basis A_(t) generated in (4).

(8) The master key generation part 110 sets {param_(Vt)}_(t=0, . . . , d) generated in (4) and g_(T) in param_(n→).

(S102: CP-FE Master Key Generation Step)

Using the processing device, the master key generation part 110 computes Formula 123, and thus generates a public parameter pk^(CP-FE) and a master key sk^(CP-FE) of functional encryption.

$\begin{matrix} {\left( {{p\; k^{{CP} - {FE}}},{sk}^{{CP} - {FE}}} \right)\overset{R}{}{{Setup}_{{CP} - {FE}}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 123} \right\rbrack \end{matrix}$

(S103: Public Parameter Generation Step)

Using the processing device, the master key generation part 110 generates a subbasis B̂₀ of the basis B₀ and a subbasis B̂_(t) of the basis B_(t), as indicated in Formula 124.

₀:=(b _(0.1) ,b _(0.2) ,b _(0.3) ,b _(0.4) ,b _(0.7)),

_(t):=(b _(t.1) , . . . ,b _(t.n) _(t) ,b _(t.N) _(t) ) for t=1, . . . ,d  [Formula 124]

The master key generation part 110 generates a public parameter pk by putting together the public parameter pk^(CP-FE), the security parameter λ, param_(n→), the subbasis B̂₀ and the subbasis B̂_(t), basis vectors b*_(0.2), b*_(0.3), b*_(0.4), and b*_(0.6), and basis vectors b*_(t.1), . . . , b*_(t.nt), b*_(t.nt+ut+1), . . . , and b*_(t.nt+ut+z) for each integer t=1, . . . , d.

(S104: Master Key Generation Step)

The master key generation part 110 generates a subbasis B̂*₀ of the basis B*₀ generated in (S101), as indicated in Formula 125.

*₀:=(b* _(0.1) ,b* _(0.2) ,b* _(0.3) ,b* _(0.4) ,b* _(0.7)),

*_(t):=(b* _(t.1) , . . . ,b* _(t.n) _(t) ,b* _(t.N) _(t) ) for t=1, . . . ,d  [Formula 125]

The master key generation part 110 generates a master key sk which is constituted by the master key sk^(CP-FE) and a basis vector b*_(0.1).

(S105: Master Key Storage Step)

The master key storage part 120 stores the public parameter pk generated in (S103) in the storage device. The master key storage part 120 also stores the master key sk generated in (S104) in the storage device.

In brief, in (S101) through (S104), the key generation device 100 generates the public parameter pk and the master key sk by executing the Setup algorithm indicated in Formula 126-1 and Formula 126-2. In (S105), the key generation device 100 stores the generated public parameter pk and master key sk in the storage device.

The public parameter is published, for example, via the network, and is made available for the encryption device 200, the decryption device 300, the re-encryption device 400, and the re-encrypted ciphertext decryption device 500.

$\begin{matrix} {{{{{Setup}\left( {1^{\lambda}, {\overset{\rightarrow}{n} = \left( {{d;n_{1}},\ldots \mspace{14mu},{n_{d};u_{1}},\ldots \mspace{14mu},{u_{d};z_{1}},\ldots \mspace{14mu},z_{d}} \right)}} \right)}:\mspace{20mu} {param}_{}}:={\left( {q,,_{T},g,e} \right)\overset{R}{\leftarrow}{_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu} {N_{0}:=7},\mspace{20mu} {N_{t}:={{n_{t} + u_{t} + z_{t} + {1\mspace{14mu} {for}\mspace{14mu} t}} = 1}},\ldots \mspace{14mu},d,\mspace{20mu} {\psi \overset{U}{}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{20mu} {{{for}\mspace{14mu} t} = 0},\ldots \mspace{14mu},d,{{parm}_{_{t}}:={\left( {q,,_{T},_{T},e} \right)\overset{R}{}{_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}}},\mspace{20mu} {X_{t} = {\begin{pmatrix} {{\overset{\rightarrow}{\chi}}_{t},1} \\ \vdots \\ {{\overset{\rightarrow}{\chi}}_{t},N_{t}} \end{pmatrix}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}}},\mspace{20mu} {\begin{pmatrix} {{\overset{\rightarrow}{v}}_{t},1} \\ \vdots \\ {{\overset{\rightarrow}{v}}_{t},N_{t}} \end{pmatrix}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},} & \left\lbrack {{Formula}\mspace{14mu} 126\text{-}1} \right\rbrack \\ {\mspace{79mu} {{{{b_{t.i}:={\sum\limits_{j = 1}^{N_{t}}\; {\chi_{t,i,j}a_{t,j}}}},{_{t}:=\left( {b_{t{.1}},\ldots \mspace{14mu},b_{t.N_{t}}} \right)},\mspace{20mu} {b_{t.i}^{*}:={\sum\limits_{j = 1}^{N_{t}}\; {v_{t,i,j}a_{t,j}}}},{_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.N_{t}}^{*}} \right)},\mspace{20mu} {\left( {{pk}^{{CP} - {FE}},{sk}^{{CP} - {FE}}} \right)\overset{R}{}{{Setup}_{{CP} - {FE}}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}}}\mspace{20mu} {{{\hat{}}_{0}:=\left( {b_{0.1},b_{0.2},b_{0.3},b_{0.4},b_{0.7}} \right)},\mspace{79mu} {{\hat{}}_{t}:={{\left( {b_{t{.1}},\ldots \mspace{14mu},b_{t.n_{t}},b_{t.N_{t}}} \right)\mspace{14mu} {for}\mspace{14mu} t} = 1}},\ldots \mspace{14mu},d,\mspace{79mu} {{\hat{}}_{0}^{*}:=\left( {b_{0.1}^{*},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.6}^{*}} \right)},\mspace{34mu} {{\hat{}}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots \mspace{14mu},b_{{t.n_{t}} + u_{t} + z_{t}}^{*}} \right)}}}\mspace{20mu} {{{{for}\mspace{14mu} t} = 1},\ldots \mspace{14mu},d,\mspace{20mu} {{param}_{\overset{\rightarrow}{n}}:=\left( {\left\{ {param}_{_{t}} \right\}_{{t = 0},\ldots \mspace{14mu},d},g_{T}} \right)},{{pk}:=\left( {{pk}^{{CP} - {FE}},1^{\lambda},{param}_{\overset{\rightarrow}{n}},\left\{ {\hat{}}_{t} \right\}_{{t = 0},\ldots \mspace{14mu},d},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.6}^{*},{{\begin{Bmatrix} {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots \mspace{14mu},} \\ b_{{t.n_{t}} + u_{t} + z_{t}}^{*} \end{Bmatrix}t} = 1},\ldots \mspace{14mu},d} \right)},\mspace{20mu} {{sk}:=\left( {{sk}^{{CP} - {FE}},{\hat{}}_{0}^{*}} \right)},\mspace{20mu} {{return}\mspace{14mu} {pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 126\text{-}2} \right\rbrack \end{matrix}$

With reference to FIG. 12, the process of the KG algorithm will be described.

(S201: Information Input Step)

Using the input device, the information input part 130 takes as input an attribute set Γ:={(t, x^(→) _(t):=(x_(t.1), . . . , x_(t.nt)εF_(q) ^(nt)\{0^(→)}))| 1≦t≦d}. Note that t may be at least some of integers from 1 to d, instead of being all of integers from 1 to d. Also note that attribute information of a user of a decryption key sk_(Γ) is set in the attribute set Γ, for example.

(S202: CP-FE Decryption Key Generation Step)

Using the processing device, the CP-FE key generation part 141 computes Formula 127, and thus generates a decryption key sk_(Γ) ^(CP-FE) of functional encryption.

$\begin{matrix} {{sk}_{\Gamma}^{{CP} - {FE}}\overset{R}{}{{KG}_{{CP} - {FE}}\left( {{pk}^{{CP} - {FE}},{sk}^{{CP} - {FE}},\Gamma} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 127} \right\rbrack \end{matrix}$

(S203: Random Number Generation Step)

Using the processing device, the random number generation part 142 generates random numbers, as indicated in Formula 128.

$\begin{matrix} {\delta,{\phi \overset{U}{}_{q}},{{{{\overset{\rightarrow}{\phi}}_{t}\overset{U}{}_{q}^{z_{t}}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 128} \right\rbrack \end{matrix}$

(S204: Decryption Key k* Generation Step)

Using the processing device, the decryption key k* generation part 143 generates a decryption key k*₀, as indicated in Formula 129.

k* ₀:=(1,δ,0,0,0,φ,0

  [Formula 129]

For the basis B and the basis B* indicated in Formula 110, Formula 111 is established. Thus, Formula 129 means that 1 is set as the coefficient of the basis vector b*_(0.1) of the basis B*₀, δ is set as the coefficient of the basis vector b*_(0.2), 0 is set as the coefficient of each of the basis vectors b*_(0.3), . . . , b*_(0.5), φ is set as the coefficient of the basis vector b*_(0.6), and 0 is set as the coefficient of the basis vector b*_(0.7).

Using the processing device, the decryption key k* generation part 143 generates a decryption key k*_(t) for each integer t included in the attribute set Γ, as indicated in Formula 130.

$\begin{matrix} {{k_{t}^{*}:=\begin{pmatrix} \overset{\overset{n_{t}}{}}{{\delta \; {\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\phi}}_{t},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 130} \right\rbrack \end{matrix}$

In Formula 130, δx_(t.1) , . . . , δx _(t.nt) are respectively set as the coefficient of the basis vectors b*_(t.1), . . . , b*_(t.nt) of the basis B*_(t), 0 is set as the coefficient of each of the basis vectors b*_(t.nt)+, . . . , b*_(t.nt+ut), φ_(t.1), . . . , φ_(t.zt) are respectively set as the coefficient of the basis vectors b*_(t.nt+ut+1), . . . , b*_(t.nt+ut+zt), and 0 is set as the coefficient of the basis vector b_(t.nt+ut+zt+1).

(S205: Key Transmission Step)

Using the communication device and via the network, for example, the key transmission part 150 transmits the decryption key sk_(Γ) having, as elements, the decryption key sk_(Γ) ^(CP-FE) of functional encryption, the attribute set Γ, and the decryption keys k*₀ and k*_(t) to the decryption device 300 in secrecy. As a matter of course, the decryption key sk_(Γ) may be transmitted to the decryption device 300 by another method.

In brief, in (S201) through (S204), the key generation device 100 generates the decryption key sk_(Γ) by executing the KG algorithm indicated in Formula 131. In (S205), the key generation device 100 transmits the decryption key sk_(Γ) to the decryption device 300.

$\begin{matrix} {{KG}\left( {{p\; k},{sk},{\Gamma = {\left( \left\{ {{\left( {t,{\overset{\rightarrow}{x}}_{t}} \right){{\overset{\rightarrow}{x}}_{t} \in {_{q}^{n_{t}} \smallsetminus \left\{ \overset{\rightarrow}{0} \right\}}}},{1 \leq t \leq d}} \right\} \right):\mspace{79mu} {{{sk}_{\Gamma}^{{CP} - {FE}}\overset{R}{}{{KG}_{{CP} - {FE}}\left( {{p\; k^{{CP} - {FE}}},{sk}^{{CP} - {FE}},\Gamma} \right)}}\mspace{79mu} \delta}}},{\phi \overset{U}{}_{q}},{{{{{\overset{\rightarrow}{\phi}}_{t}\overset{U}{}_{q}^{z_{t}}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma \mspace{79mu} k_{0}^{*}}}:=\left( {1,\delta,0,0,0,\phi,0} \right)_{_{0}^{*}}},\mspace{79mu} {k_{t}^{*}:=\begin{pmatrix} \overset{\overset{n_{t}}{}}{{\delta \; {\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\phi}}_{t},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}},{{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma \mspace{79mu} {sk}_{\Gamma}}}:=\left( {{sk}_{\Gamma}^{{CP} - {FE}},\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \; \Gamma}} \right)},\mspace{79mu} {{returm}\mspace{14mu} {{sk}_{\Gamma}.}}} \right.} & \left\lbrack {{Formula}\mspace{14mu} 131} \right\rbrack \end{matrix}$

In (S201), the key generation device 100 generates a decryption key sk_(Γ) by executing the KG algorithm taking as input an attribute set Γ′:={(t, x′^(→) _(t):=(x→^(→) _(t.1), . . . , x→^(→) _(t.nt) δF_(q) ^(nt)\{0^(→)}))|1≦t≦d} in which attribute information Γ′:={(t, x′^(→) _(t):=(x→^(→) _(t.1), . . . , x′_(t.nt) εF_(q) ^(nt)\{0^(→)}))|1≦t≦d} of a user of the decryption key sk_(Γ) is set. Then, the key generation device 100 transmits the decryption key sk_(Γ):=(sk_(Γ) ^(CP-FE), Γ′, k′*₀, {k′*_(t)}_((t, x→t)εΓ′)) to the re-encrypted ciphertext decryption device 500.

The function and operation of the encryption device 200 will be described.

The encryption device 200 includes a public parameter receiving part 210, an information input part 220, a signature processing part 230, an encryption part 240, and a ciphertext transmission part 250. The encryption part 240 includes an f vector generation part 241, an s vector generation part 242, a random number generation part 243, and a ciphertext c^(enc) generation part 244.

With reference to FIG. 13, the process of the Enc algorithm will be described.

(S301: Public Parameter Receiving Step)

Using the communication device and via the network, for example, the public parameter receiving part 210 receives the public parameter pk generated by the key generation device 100.

(S302: Information Input Step)

Using the input device, the information input part 220 takes as input an access structure S:=(M, ρ). Note that the access structure S is to be set according to the conditions of a system to be implemented, and that attribute information of a user capable of decrypting a ciphertext ct_(S) is set in ρ of the access structure S, for example. Note that ρ(i)=(t, v^(→) _(i):=(v_(i.1), . . . , v_(i.nt))εF_(q) ^(nt)\{0^(→)}) (v_(i.nt)≠0).

Using the input device, the information input part 220 also takes as input a message m to be transmitted to the decryption device 300.

(S303: Signature Key Generation Step)

Using the processing device, the signature processing part 230 computes Formula 132, and thus generates a signature key sigk and a verification key verk of one-time signature.

$\begin{matrix} {\left( {{sigk},{verk}} \right)\overset{R}{}{{SigKG}\left( 1^{\lambda} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 132} \right\rbrack \end{matrix}$

(S304: f Vector Generation Step)

Using the processing device, the f vector generation part 241 randomly generates a vector f having r pieces of elements, as indicated in Formula 133.

$\begin{matrix} {\overset{\rightarrow}{f}\overset{U}{}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 133} \right\rbrack \end{matrix}$

(S305: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix M included in the access structure S and the vector f^(→), the s vector generation part 242 generates a vector s^(→T), as indicated in Formula 134.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 134]

Using the processing device and based on the vector f^(→), the s vector generation part 242 also generates a value so, as indicated in Formula 135.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 135]

(S306: Random Number Generation Step)

Using the processing device, the random number generation part 243 generates random numbers, as indicated in Formula 136.

$\begin{matrix} {\rho,\eta,{\zeta \overset{U}{}_{q}},\theta_{i},{{{\eta_{i}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L} & \left\lbrack {{Formula}\mspace{14mu} 136} \right\rbrack \end{matrix}$

(S307: Ciphertext c^(enc) Generation Step)

Using the processing device, the ciphertext c^(enc) generation part 244 generates a ciphertext c^(enc) ₀, as indicated in Formula 137.

c ₀ ^(enc):=(ζ,−s ₀,ρ(verk,1),0,0,η

  [Formula 137]

Using the processing device, the ciphertext c^(enc) generation part 244 also generates a ciphertext c^(enc) _(i) for each integer i=1, . . . , L, as indicated in Formula 138.

$\begin{matrix} {\mspace{79mu} {{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}} \smallsetminus \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{79mu} {c_{i}^{enc}:=\begin{pmatrix} \overset{\overset{n_{t}}{}}{{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{0^{z_{t}},} & \overset{\overset{1}{}}{\eta_{i}} \end{pmatrix}_{_{t}}},\mspace{79mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu} {c_{i}^{enc}:=\begin{pmatrix} \overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{0^{z_{t}},} & \overset{\overset{1}{}}{\eta_{i}} \end{pmatrix}_{_{t}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 138} \right\rbrack \end{matrix}$

Using the processing device, the ciphertext c^(enc) generation part 244 also generates a ciphertext c^(enc) _(d+1), as indicated in Formula 139.

c _(d+1) ^(enc) =m·g _(T) ^(ζ)  [Formula 139]

(S308: Signature Generation Step)

Using the processing device, the signature processing part 230 computes Formula 140, and thus generates a signature Sig for an element C:=(S, {c^(enc) _(i)}_(i=0, . . . , L), c^(enc) _(d+1)) of the ciphertext ct_(S).

$\begin{matrix} {{Sig}\overset{R}{}{{Sig}\left( {{sigk},{C = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\mspace{11mu} {\ldots \mspace{11mu} L}},c_{d + 1}^{enc}} \right)}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 140} \right\rbrack \end{matrix}$

(S309: Ciphertext Transmission Step)

Using the communication device and via the network, for example, the ciphertext transmission part 250 transmits the ciphertext ct_(S) having, as elements, the access structure S, the ciphertexts c^(enc) ₀, c^(enc) ₁, . . . , c^(enc) _(L), and c^(enc) _(d+1), the verification key verk, and the signature Sig to the decryption device 300. As a matter of course, the ciphertext ct_(S) may be transmitted to the decryption device 300 by another method.

In brief, in (S301) through (S308), the encryption device 200 generates the ciphertext ct_(S) by executing the Enc algorithm indicated in Formula 141. In (S309), the encryption device 200 transmits the generated ciphertext ct_(S) to the decryption device 300.

$\begin{matrix} {\mspace{79mu} {{{{Enc}\left( {{p\; k},m,{ = \left( {M,\rho} \right)}} \right)}\text{:}}\mspace{79mu} {\left( {{sigk},{verk}} \right)\overset{R}{}{{SigKG}\left( 1^{\lambda} \right)}}\mspace{79mu} {{\overset{\rightarrow}{f}\overset{U}{}_{q}^{r}},{{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\mspace{79mu} {s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{79mu} \rho,\eta,{\zeta \overset{U}{}_{q}},\mspace{79mu} {c_{0}^{enc}:=\left( {\zeta,{- s_{0}},{\rho \left( {{verk},1} \right)},0,0,\eta} \right)_{_{0}}},\mspace{79mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}} \smallsetminus \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{79mu} \theta_{i},{\eta_{i}\overset{U}{}_{q}},\mspace{85mu} {c_{i}^{enc}:=\begin{pmatrix} \overset{\overset{n_{t}}{}}{{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{0^{z_{t}},} & \overset{\overset{1}{}}{\eta_{i}} \end{pmatrix}_{_{t}}},\mspace{79mu} {{{if}\mspace{14mu} \rho (i)} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu} {\eta_{i}\overset{U}{}_{q}},\mspace{85mu} {c_{i}^{enc}:=\begin{pmatrix} \overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{0^{z_{t}},} & \overset{\overset{1}{}}{\eta_{i}} \end{pmatrix}_{_{t}}},\mspace{79mu} {c_{d + 1}^{enc} = {m \cdot g_{T}^{\zeta}}},\mspace{79mu} {{Sig}\overset{R}{}{{Sig}\left( {{sigk},{C = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\mspace{11mu} {\ldots \mspace{11mu} L}},c_{d + 1}^{enc}} \right)}} \right)}}}\mspace{79mu} {{{ct}_{} = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\mspace{11mu} \ldots \mspace{11mu},\; L},c_{d + 1}^{enc},{verk},{Sig}} \right)},\mspace{79mu} {{return}\mspace{14mu} {{ct}_{}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 141} \right\rbrack \end{matrix}$

The function and operation of the decryption device 300 will be described.

The decryption device 300 includes a decryption key receiving part 310, an information input part 320, a re-encryption key generation part 330, a re-encryption key transmission part 340, a ciphertext receiving part 350, a verification part 360, a complementary coefficient computation part 370, a pairing operation part 380, and a message computation part 390. The re-encryption key generation part 330 includes a random number generation part 331, a conversion information W₁ generation part 332, a conversion information W₁ encryption part 333, a decryption key k*^(rk) generation part 334, and a conversion part 335. The verification part 360 includes a span program computation part 361 and a signature verification part 362.

With reference to FIG. 14, the process of the RKG algorithm will be described. The Dec2 algorithm will be described later.

(S401: Decryption Key Receiving Step)

Using the communication device and via the network, for example, the decryption key receiving part 310 receives the decryption key sk_(Γ) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S402: Information Input step)

Using the input device, the information input part 320 takes as input an access structure S′:=(M′, ρ′). Note that the access structure S′ is to be set according to the conditions of a system to be implemented, and that attribute information of a user capable of decrypting a re-encrypted ciphertext CT_(S′) is set in ρ′ of the access structure S′, for example. Note that ρ′(i)=(t,v^(→)′_(i):=(v′_(i.1), . . . ,v′_(i.nt))εF_(q) ^(nt)\{0^(→)})(v′_(i,nt)≠0).

(S403: Random Number Generation Step)

Using the processing device, the random number generation part 331 generates random numbers, as indicated in Formula 142.

$\begin{matrix} {\delta^{\prime},{\phi^{\prime}\overset{U}{}_{q}},{{{{\overset{\rightarrow}{\phi}}_{t}^{\prime}\overset{U}{}_{q}^{z_{t}}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 142} \right\rbrack \end{matrix}$

(S404: Conversion Information W₁ Generation Step)

Using the processing device, the conversion information W₁ generation part 332 generates conversion information W₁, as indicated in Formula 143.

$\begin{matrix} {W_{1}\overset{R}{}{{GL}\left( {7,_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 143} \right\rbrack \end{matrix}$

(S405: Conversion Information W₁ Encryption Step)

Using the processing device, the conversion information W₁ encryption part 333 computes Formula 144, and thus encrypts the conversion information W₁ with functional encryption and generates encrypted conversion information ψ^(rk). Since the conversion information W₁ is encrypted with functional encryption on input of the access structure S′, the conversion information W₁ is encrypted with the attribute information of the user capable of decrypting the re-encrypted ciphertext CT_(S′) being set.

$\begin{matrix} {\psi^{rk}\overset{R}{}{{Enc}_{{CP} - {FE}}\left( {{p\; k^{{CP} - {FE}}},^{\prime},W_{1}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 144} \right\rbrack \end{matrix}$

(S406: Decryption Key k*^(rk) Generation Step)

Using the processing device, the decryption key k*^(rk) generation part 334 generates a decryption key k*^(rk) ₀, as indicated in Formula 145.

k* ₀ ^(rk):=(k* ₀+(0,δ′,0,0,0,ρ′,0

)W ₁  [Formula 145]

Using the processing device, the decryption key k*^(rk) generation part 334 also generates a decryption key k*^(rk) _(t) for each integer t included in the attribute set Γ, as indicated in Formula 146.

$\begin{matrix} {{k_{t}^{*{rk}}:={k_{t}^{*} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{}}{0^{u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\phi}}_{t}^{\prime},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 146} \right\rbrack \end{matrix}$

(S407: Conversion Step)

Using the processing device, the conversion part 335 computes Formula 147, and thus generates a basis D^(̂*) ₀.

d* _(0.i) :=b* _(0.i) ,W ₁ for i=2,3,4,6,

*₀:=(d* _(0.2) ,d* _(0.3) ,d* _(0.4) ,d* _(0.6))  [Formula 147]

(S408: Key Transmission Step)

Using the communication device and via the network, for example, the re-encryption key transmission part 340 transmits the re-encryption key rk_((Γ.S′)) having, as elements, the attribute set Γ, the access structure S′, the decryption keys k*^(rk) ₀ and k*^(rk) _(t), the encrypted conversion information ψ^(rk), and the basis D^(̂*) ₀ to the re-encryption device 400 in secrecy. As a matter of course, the re-encryption key rk_((Γ.S′)) may be transmitted to the re-encryption device 400 by another method.

In brief, in (S401) through (S407), the decryption device 300 generates the re-encryption key rk_((Γ.S′)) by executing the RKG algorithm indicated in Formula 148. In (S408), the decryption device 300 transmits the generated re-encryption key rk_((Γ.S′)) to the re-encryption device 400.

$\begin{matrix} {{{{RKG}\left( {{pk}, {{sk}_{\Gamma} = \left( {{sk}_{\Gamma}^{{CP}\text{-}{FE}},\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma}} \right)},{^{\prime} = \left( {M^{\prime},\rho^{\prime}} \right)}} \right)}\text{:}}\delta^{\prime},{\phi^{\prime}\overset{U}{\leftarrow}_{q}},{{{\overset{\rightarrow}{\phi}}_{t}^{\prime}\overset{U}{\leftarrow}{_{q}^{z_{t}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}} \in \Gamma},{W_{1}\overset{R}{\leftarrow}{{GL}\left( {7,_{q}} \right)}},{\psi^{rk}\overset{R}{\leftarrow}{{Enc}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},^{\prime},W_{1}} \right)}},{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,\delta^{\prime},0,0,0,\phi^{\prime},0} \right)_{_{0}^{*}}} \right)W_{1}}},{k_{t}^{*{rk}}:={k_{t}^{*} + \left( {{\overset{n_{t}}{\overset{}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},}}\overset{u_{t}}{\overset{}{0_{t}^{\mu}}}},{\overset{z_{t}}{\overset{}{{\overset{\rightarrow}{\phi}}_{t}^{\prime},}}\overset{1}{\overset{}{0}}}} \right)_{_{t}^{*}}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma},{d_{0.i}^{*}:={{b_{0.i}^{*}W_{1}\mspace{14mu} {for}\mspace{14mu} i} = 2}},3,4,6,{{\hat{}}_{0}^{*}:=\left( {d_{0.2}^{*},d_{0.3}^{*},d_{0.4}^{*},d_{0.6}^{*}} \right)},{{rk}_{({\Gamma.^{\prime}})} = \left( {\Gamma,^{\prime},k_{0}^{*{rk}},\left\{ k_{t}^{*{rk}} \right\}_{{({t,\overset{\rightarrow}{x}})} \in \Gamma},\psi^{rk},{\hat{}}_{0}^{*}} \right)},{{return}\mspace{14mu} {{rk}_{({\Gamma.^{\prime}})}.}}} & \left\lbrack {{Formula}\mspace{14mu} 148} \right\rbrack \end{matrix}$

The function and operation of the re-encryption device 400 will be described.

The re-encryption device 400 includes a public parameter receiving part 410, a ciphertext receiving part 420, a re-encryption key receiving part 430, a verification part 440, an encryption part 450, and a re-encrypted ciphertext transmission part 460. The verification part 440 includes a span program computation part 441 and a signature verification part 442. The encryption part 450 includes a random number generation part 451, an f vector generation part 452, an s vector generation part 453, a conversion information W₂ generation part 454, a conversion information W₂ encryption part 455, a ciphertext c^(renc) generation part 456, and a decryption key k*^(renc) generation part 457.

With reference to FIG. 15, the process of the REnc algorithm will be described.

(S501: Public Parameter Receiving Step)

Using the communication device and via the network, for example, the public parameter receiving part 410 receives the public parameter pk generated by the key generation device 100.

(S502: Ciphertext Receiving Step)

Using the communication device and via the network, for example, the ciphertext receiving part 420 receives the ciphertext ct_(S) transmitted by the encryption device 200.

(S503: Re-Encryption Key Receiving Step)

Using the communication device and via the network, for example, the re-encryption key receiving part 430 receives the re-encryption key rk_((Γ.S′)) transmitted by the decryption device 300.

(S504: Span Program Computation Step)

Using the processing device, the span program computation part 441 determines whether or not the access structure S included in the ciphertext ct_(S) accepts Γ included in the re-encryption key rk_((Γ.S′)). The method for determining whether or not the access structure S accepts Γ is as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S504), the span program computation part 441 advances the process to (S505). If the access structure S rejects Γ (reject in S504), the span program computation part 441 ends the process.

(S505: Signature Verification Step)

Using the processing device, the signature verification part 442 determines whether or not a result of computing Formula 149 is 1. If the result is 1 (valid in S505), the signature verification part 442 advances the process to (S506). If the result is 0 (invalid in S505), the signature verification part 442 ends the process.

Ver(verk,C=(

,{c _(i) ^(enc)}_(i=0, . . . L) ,c _(d+1) ^(enc)),Sig)  [Formula 149]

(S506: Random Number Generation Step)

Using the processing device, the random number generation part 451 generates random numbers, as indicated in Formula 150.

$\begin{matrix} {\delta^{''},\phi^{''},\sigma,\rho^{\prime},\eta^{\prime},\zeta^{\prime},\theta_{i}^{\prime},{{\eta_{i}^{\prime}\overset{U}{\leftarrow}{_{q}\mspace{14mu} {for}\mspace{14mu} i}} = 1},\cdots \mspace{14mu},L,\mspace{79mu} {{{\overset{\rightarrow}{\phi}}_{t}^{''}\overset{U}{\leftarrow}{_{q}^{z_{t}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)}} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 150} \right\rbrack \end{matrix}$

(S507: f Vector Generation Step)

Using the processing device, the f vector generation part 452 randomly generates a vector f^(→)′ having r pieces of elements, as indicated in Formula 151.

$\begin{matrix} {{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\leftarrow}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 151} \right\rbrack \end{matrix}$

(S508: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix M included in the access structure S and the vector f^(→)′, the s vector generation part 453 generates a vector s^(→)′^(T), as indicated in Formula 152.

{right arrow over (s)}′ ^(T):=(s′ ₁ , . . . ,s′ _(L))^(T) :=M·{right arrow over (f)}′ ^(T)  [Formula 152]

Using the processing device and based on the vector f^(→)′, the s vector generation part 453 also generates a value s₀′, as indicated in Formula 153.

s′ ₀:={right arrow over (1)}·{right arrow over (f)}′ ^(T)  [Formula 153]

(S509: Conversion Information W₂ Generation Step)

Using the processing device, the conversion information W₂ generation part 454 generates conversion information W₂, as indicated in Formula 154.

$\begin{matrix} {W_{2}\overset{R}{\leftarrow}{{GL}\left( {7,_{q}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 154} \right\rbrack \end{matrix}$

(S510: Conversion Information W₂ Encryption Step)

Using the processing device, the conversion information W₂ encryption part 455 computes Formula 155, and thus encrypts the conversion information W₂ with functional encryption and generates encrypted conversion information ψ^(renc). Since the conversion information W₂ is encrypted with functional encryption on input of the access structure S′, the conversion information W₂ is encrypted with the attribute information of the user capable of decrypting the re-encrypted ciphertext CT_(S′) being set.

$\begin{matrix} {\psi^{renc}\overset{R}{\leftarrow}{{Enc}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},^{\prime},W_{2}} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 155} \right\rbrack \end{matrix}$

(S511: Ciphertext c^(renc) Generation Step)

Using the processing device, the ciphertext c^(renc) generation part 456 also generates a ciphertext c^(renc) ₀, as indicated in Formula 156.

c ₀ ^(renc):=(c ₀ ^(enc)+(ζ′,−s′ ₀,ρ′(verk,1),0,0,η′

)W ₂  [Formula 156]

Using the processing device, the ciphertext c^(renc) generation part 456 also generates a ciphertext c^(renc) _(i) for each integer i=1, . . . , L, as indicated in Formula 157.

$\begin{matrix} {\mspace{79mu} {{{{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i.n_{t}} \neq 0} \right)}},\mspace{79mu} {c_{i}^{renc}:={c_{i}^{enc} + \left( {{\overset{n_{t}}{\overset{}{{{s_{i}^{\prime}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}}},}}\overset{u_{t}}{\overset{}{0^{u_{t}}}}},{\overset{z_{t}}{\overset{}{0^{z_{t}},}}\overset{1}{\overset{}{\eta_{i}^{\prime}}}}} \right)_{_{t}}}},\mspace{79mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu} {c_{i}^{renc}:={c_{i}^{enc} + \left( {{\overset{n_{t}}{\overset{}{{s_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}},}}\overset{u_{t}}{\overset{}{0^{u_{t}}}}},{\overset{z_{t}}{\overset{}{0^{z_{i}},}}\overset{1}{\overset{}{\eta_{i}^{\prime}}}}} \right)_{_{t}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 157} \right\rbrack \end{matrix}$

Using the processing device, the ciphertext c^(renc) generation part 456 also generates a ciphertext c^(renc) _(d+1), as indicated in Formula 158.

c _(d+1) ^(renc) =c _(d+1) ^(enc) ·g _(T) ^(ζ′)  [Formula 158]

(S512: Decryption Key k*^(renc) Generation Step)

Using the processing device, the decryption key k*^(renc) generation part 457 generates a decryption key k*^(renc) ₀, as indicated in Formula 159.

k* ₀ ^(renc) :=k* ^(rk)+(0,δ″,σ(−1,verk),0,φ″,0

  [Formula 159]

Using the processing device, the decryption key k*^(renc) generation part 457 also generates a decryption key k*^(renc) _(t) for each integer t included in the attribute set Γ, as indicated in Formula 160.

$\begin{matrix} {{k_{t}^{*{renc}}:={k_{t}^{*{rk}} + \left( {{\overset{n_{t}}{\overset{}{{\delta^{''}{\overset{\rightarrow}{x}}_{t}},}}\overset{u_{t}}{\overset{}{0^{u_{t}}}}},{\overset{z_{t}}{\overset{}{{\overset{\rightarrow}{\phi}}_{t}^{''},}}\overset{1}{\overset{}{0}}}} \right)_{_{t}^{*}}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 160} \right\rbrack \end{matrix}$

(S513: Re-Encrypted Ciphertext Transmission Step)

Using the communication device and via the network, for example, the re-encrypted ciphertext transmission part 460 transmits the re-encrypted ciphertext CT_(S′) having, as elements, the access structure S′, the access structure S, the attribute set Γ, the decryption keys k*^(renc) ₀ and k*^(renc) _(t), the ciphertexts c^(renc) ₀, c^(renc) _(i), and c^(renc) _(d+1), the encrypted conversion information ψ^(rk), and the encrypted conversion information ψ^(renc) to the re-encryption device 400 in secrecy. As a matter of course, the re-encrypted ciphertext CT_(S′) may be transmitted to the re-encryption device 400 by another method.

In brief, in (S501) through (S512), the re-encryption device 400 generates the re-encrypted ciphertext CT_(S′) by executing the REnc algorithm indicated in Formula 161-1 and Formula 161-2. In (S513), the re-encryption device 400 transmits the generated re-encrypted ciphertext CT_(S′) to the re-encrypted ciphertext decryption device 500.

$\begin{matrix} {{{{\left. {{REnc}\left( {{rk},_{({\Gamma,^{\prime}})}{= \left( {\Gamma,^{\prime},k_{0}^{*{rk}},\left\{ k_{t}^{*{rk}} \right\}_{{({t,\overset{\rightarrow}{x}})} \in \Gamma},\psi^{rk},{\hat{}}_{0}^{*}} \right)},{{ct}_{} = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots \mspace{14mu},L},c_{d + 1}^{enc}} \right)},{verk},{Sig}} \right)} \right)\text{:}}{{{{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}},{{and}\; \left. \quad\mspace{11mu} {{{{{Ve}r}\left( {{verk},{C = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots \mspace{14mu},L},c_{d + 1}^{enc}} \right)},{Sig}} \right)} = 1},{{then}{\mspace{11mu} \;}{compute}\mspace{14mu} {following}\mspace{20mu} \left\{ c_{i}^{renc} \right\}_{{i = 0},\ldots \mspace{14mu},L}},c_{d + 1}^{renc}} \right)},k_{0}^{*{renc}},\; {{and}\mspace{14mu} \left\{ k_{t}^{*{renc}} \right\}_{{({t,\overset{\rightarrow}{x}})} \in \Gamma}}}}{\delta^{''},\phi^{''},\sigma,\rho^{\prime},\eta^{\prime},{\zeta^{\prime}\overset{U}{\leftarrow}_{q}},{{\overset{\rightarrow}{\phi}}_{t}^{''}\; \overset{U}{\leftarrow}_{q}^{z_{t}}},\mspace{11mu} {{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}{{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{\leftarrow}_{q}^{r}},{{{\overset{\rightarrow}{s}}^{\prime}}^{T}:={\left( {s_{1}^{\prime},\ldots \mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {{\overset{\rightarrow}{f}}^{\prime}}^{T}}}},{s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}},\; {W_{2}\overset{R}{\leftarrow}{{GL}\left( {7,_{q}} \right)}},\mspace{14mu} {\psi^{renc}\overset{R}{\leftarrow}{{Enc}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},^{\prime},W_{2}} \right)}},}}\mspace{59mu}} & \left\lbrack {{Formula}\mspace{14mu} 161\text{-}1} \right\rbrack \end{matrix}$

The function and operation of the re-encrypted ciphertext decryption device 500 will be described.

The re-encrypted ciphertext decryption device 500 includes a decryption key receiving part 510, a ciphertext receiving part 520, a span program computation part 530, a complementary coefficient computation part 540, a conversion information generation part 550, a conversion part 560, a pairing operation part 570, and a message computation part 580. The pairing operation part 570 and the message computation part 580 will be referred to collectively as a decryption part.

With reference to FIG. 16, the process of the Dec1 algorithm will be described.

(S601: Decryption Key Receiving Step)

Using the communication device and via the network, for example, the decryption key receiving part 510 receives the decryption key sk_(Γ), transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S602: Ciphertext Receiving Step)

Using the communication device and via the network, for example, the ciphertext receiving part 520 receives the re-encrypted ciphertext CT_(S′) transmitted by the re-encryption device 400.

(S603: Span Program Computation Step)

Using the processing device, the span program computation part 530 determines whether or not the access structure S included in the re-encrypted ciphertext CT_(S′) accepts Γ included in the re-encrypted ciphertext CT_(S′), and determines whether or not the access structure S′ included in the re-encrypted ciphertext CT_(S′) accepts Γ′ included in the decryption key sk_(Γ′). The method for determining whether or not the access structure S accepts Γ and whether or not the access structure S′ accepts Γ′ is as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ and the access structure S′ accepts Γ′ (accept in S603), the span program computation part 530 advances the process to (S604). If the access structure S rejects Γ or the access structure S′ rejects Γ′ (reject in S603), the span program computation part 530 ends the process.

(S604: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computation part 540 computes I and a constant (complementary coefficient) {α_(i)}_(iεI) such that Formula 162 is satisfied.

$\begin{matrix} {\mspace{79mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i = I}^{\;}{\alpha_{i}M_{i}}}}\mspace{79mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}}} & \left\lbrack {{Formula}\mspace{14mu} 162} \right\rbrack \end{matrix}$

(S605: Conversion Information Generation Step)

Using the processing device, the conversion information generation part 550 generates conversion information W₁ ^(˜) and W₂ ^(˜), as indicated in Formula 163.

$\begin{matrix} {{{\overset{\sim}{W}}_{1}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{rk}} \right)}},{{\overset{\sim}{W}}_{2}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{renc}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 163} \right\rbrack \end{matrix}$

(S606: Conversion Step)

Using the processing device, the conversion part 560 generates a decryption key k*₀ ^(˜) by converting the basis of the decryption key k*^(renc) ₀, and generates a ciphertext c₀ ^(˜) by converting the basis of the ciphertext c^(renc), as indicated in Formula 164.

{tilde over (k)}* ₀ :=k* ₀ ^(renc) {tilde over (W)} ₁ ⁻¹,

{tilde over (c)} ₀ :=c ₀ ^(renc) {tilde over (W)} ₂ ⁻¹  [Formula 164]

(S607: Pairing Operation Step)

Using the processing device, the pairing operation part 570 computes Formula 156, and thus generates a session key K^(˜).

$\begin{matrix} {\overset{\sim}{K}:={{\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho {(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; {{\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)} {\alpha_{i} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho {(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; {{\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 165} \right\rbrack \end{matrix}$

(S608: Message Computation Step)

Using the processing device, the message computation part 390 computes m′=c^(enc) _(d+1)/K^(˜), and thus generates a message m′(=m).

In brief, in (S601) through (S608), the re-encrypted ciphertext decryption device 500 generates the message m′(=m) by executing the Dec1 algorithm indicated in Formula 166.

$\begin{matrix} {\left. {{\left. {{Dec}_{1}\left( {{pk}, {{sk}_{\Gamma^{\prime}} = \left( {{sk}_{\Gamma^{\prime}}^{{CP}\text{-}{FE}},\Gamma^{\prime},k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{i}^{\prime}})} \in \Gamma^{\prime}}} \right)},{{CT}_{^{\prime}} = \left( {^{\prime},,\Gamma,k_{0}^{*{renc}},\left\{ k_{t}^{*{renc}} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}^{\prime}})} \in \Gamma^{\prime}}} \right)},{{\left\{ c_{i}^{renc} \right\} i} = 0},\ldots \mspace{14mu},L,c_{d + 1}^{renc},\psi^{rk},\psi^{renc}} \right)} \right)\text{:}}{{{{If}\mspace{14mu} \mspace{14mu} {accepts}{\mspace{11mu} \;}\Gamma}:={{\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\} \mspace{14mu} {and}{\mspace{11mu} \;}^{\prime}\mspace{14mu} {accepts}\mspace{14mu} \Gamma^{\prime}}:=\left( {t,\left( {\overset{\rightarrow}{x}}_{t}^{\prime} \right)} \right\}}},{{then}\mspace{14mu} {compute}\mspace{14mu} I{\mspace{11mu} \;}{and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}{\mspace{11mu} \;}{that}}}{\overset{\rightarrow}{1} = {\sum\limits_{i = I}^{\;}{\alpha_{i}M_{i}}}}{{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}{\mspace{11mu} \;}{of}\mspace{14mu} M},{{{and}{\quad\quad}\mspace{14mu} I} \subseteq {\left\{ \left. {i \in \left\{ {1,\ldots \mspace{14mu}, L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \right.\quad \right.\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack}}}} \right\},\; {{\overset{\sim}{W}}_{1}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{rk}} \right)}},{{\overset{\sim}{W}}_{2}\overset{R}{\leftarrow}{{Dec}_{{CP}\text{-}{FE}}\left( {{pk}^{{CP}\text{-}{FE}},{sk}_{\Gamma}^{{CP}\text{-}{FE}},\psi^{renc}} \right)}},{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},{{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}},{\overset{\sim}{K}:={{{\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho {(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; {{\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)} {\alpha_{i} \cdot {\prod\limits_{i \in {{I\bigwedge{\rho {(i)}}} - {({t,{\overset{\rightarrow}{v}}_{i}})}}}^{\;}\; {{\left( {c_{i}^{renc},k_{t}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}m^{\prime}}}}}}}:={c_{d + 1}^{enc}/\overset{\sim}{K}}}},{{return}\mspace{14mu} {m^{\prime}.}}} & \left\lbrack {{Formula}\mspace{14mu} 166} \right\rbrack \end{matrix}$

With reference to FIG. 17, the process of the Dec2 algorithm will be described.

(S701: Decryption Key Receiving Step)

Using the communication device and via the network, for example, the decryption key receiving part 310 receives the decryption key sk_(Γ) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S702: Ciphertext Receiving Step)

Using the communication device and via the network, for example, the ciphertext receiving part 350 receives the ciphertext ct_(S) transmitted by the re-encryption device 400.

(S703: Span Program Computation Step)

Using the processing device, the span program computation part 361 determines whether or not the access structure S included in the ciphertext ct_(S) accepts Γ included in the decryption key sk_(Γ). The method for determining whether or not the access structure S accepts Γ is as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S703), the span program computation part 361 advances the process to (S704). If the access structure S rejects Γ (reject in S703), the span program computation part 361 ends the process.

(S704: Signature Verification Step)

Using the processing device, the signature verification part 362 determines whether or not a result of computing Formula 167 is 1. If the result is 1 (valid in S704), the signature verification part 442 advances the process to (S705). If the result is 0 (invalid in S704), the signature verification part 442 ends the process.

Ver(verk,C=(

,{c _(i) ^(enc)}_(i=0, . . . L) ,c _(d+1) ^(enc)),Sig)  [Formula 167]

(S705: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computation part 370 computes I and a constant (complementary coefficient) {α_(i)}_(iεI) such that Formula 168 is satisfied.

$\begin{matrix} {\mspace{85mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}}} & \left\lbrack {{Formula}\mspace{14mu} 168} \right\rbrack \end{matrix}$

(S706: Pairing Operation Step)

Using the processing device, the pairing operation part 380 computes Formula 169, and thus generates a session key K.

$\begin{matrix} {K:={{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {e\left( {c_{i}^{enc},k_{t}^{*}} \right){\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{i}^{enc},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 169} \right\rbrack \end{matrix}$

(S707: Message Computation Step)

Using the processing device, the message computation part 390 computes m′=c^(enc) _(d+1)/K, and thus generates a message m′(=m).

In brief, in (S701) through (S707), the decryption device 300 generates the message m′(=m) by executing the Dec2 algorithm indicated in Formula 170.

$\begin{matrix} {{{{{Dec}_{2}\begin{pmatrix} {{pk},{{sk}_{\Gamma} = \left( {{sk}_{\Gamma}^{{CP} - {FE}},\Gamma,k_{0}^{*},\left\{ k_{t}^{*} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma}} \right)},} \\ {{ct}_{} = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots \mspace{14mu},L},c_{d + 1}^{enc},{verk},{Sig}} \right)} \end{pmatrix}}:\mspace{20mu} {{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}{{{{and}\mspace{14mu} {{Ver}\left( {{verk},{C = \left( {,\left\{ c_{i}^{enc} \right\}_{{i = 0},\ldots \mspace{14mu},L},c_{d + 1}^{enc}} \right)},{Sig}} \right)}} = 1},\mspace{20mu} {{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}}}\text{}\mspace{25mu} {\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \left\{ {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \middle| {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \right\}}}{K:={{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{i}^{enc},k_{t}^{*}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{i}^{enc},k_{t}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}\mspace{20mu} {{m^{\prime} = {c_{d + 1}^{enc}/K}},\mspace{20mu} {{return}\mspace{14mu} {m^{\prime}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 170} \right\rbrack \end{matrix}$

As described above, the cryptographic system according to Embodiment 1 can implement the CP-FPRE scheme. Thus, a ciphertext can be forwarded to a set of various types of users with a single re-encryption key.

As a result, for example, various ciphertexts existing on a network can be securely forwarded to users having various attributes, without decrypting the ciphertexts. It is thus possible to securely and practically entrust processing of ciphertexts to a trusted third party.

It has been described above that the decryption device 300 also functions as a re-encryption key generation device, and that the decryption device 300 executes the RKG algorithm as well as the Dec2 algorithm. However, the decryption device 300 and the re-encryption key generation device may be implemented separately. In this case, the decryption device 300 executes the Dec2 algorithm, and the re-encryption key generation device executes the RKG algorithm. In this case, therefore, the decryption device 300 includes functional components that are required to execute the Dec2 algorithm, and the re-encryption key generation device includes functional components that are required to execute the RKG algorithm.

Embodiment 2

The CP-FPRE scheme has been described in Embodiment 1. In Embodiment 2, a key-policy FPRE scheme (KP-FPRE) scheme will be described.

First, a basic structure of the KP-FPRE scheme will be described. Then, a basic configuration of a cryptographic processing system 10 that implements the KP-FPRE scheme will be described. Then, items used for implementing the KP-FPRE scheme will be described. Then, the KP-FPRE scheme and the cryptographic processing system 10 according to this embodiment will be described in detail.

The basic structure of the KP-FPRE scheme will be briefly described. KP (key policy) means that a policy, namely an access structure, is embedded in a key.

<1-1. Basic Structure of KP-FPRE Scheme>

The KP-FPRE scheme consists of seven algorithms: Setup, KG, Enc, RKG, Renc, Dec1, and Dec2.

(Setup)

A Setup algorithm is a probabilistic algorithm that takes as input a security parameter λ and an attribute format n^(→):=(d; n₁, . . . , n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and outputs a public parameter pk and a master key sk.

(KG)

A KG algorithm is a probabilistic algorithm that takes as input an access structure S=(M, ρ), the public parameter pk, and the master key sk, and outputs a decryption key sk_(S).

(Enc)

An Enc algorithm is a probabilistic algorithm that takes as input a message m, an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t)εF_(q) ^(nt), 1≦t≦d}, and the public parameter pk, and outputs a ciphertext ct_(Γ).

(RKG)

An RKG algorithm is a probabilistic algorithm that takes as input the decryption key sk_(S), an attribute set Γ′:={(t, x′^(→) _(t))|x′^(→) _(t) εF_(q) ^(nt), 1≦t≦d}, and the public parameter pk, and output a re-encryption key rk_((S.Γ′)).

(REnc)

An REnc algorithm is a probabilistic algorithm that takes as input the ciphertext ct_(Γ), the re-encryption key rk_((S.Γ′)), and the public parameter pk, and outputs a re-encrypted ciphertext CT_(Γ).

(Dec1)

A Dec1 algorithm is an algorithm that takes as input the re-encrypted ciphertext CT_(Γ), the decryption key sk_(S′), and the public parameter pk, and outputs the message m or the distinguished symbol ⊥.

(Dec2)

A Dec2 algorithm is an algorithm that takes as input the ciphertext ct_(Γ), the decryption key sk_(Γ), and the public parameter pk, and outputs the message m or the distinguished symbol ⊥.

<1-2. Cryptographic Processing System 10>

The cryptographic processing system 10 that executes the algorithms of the KP-FPRE scheme will be described.

FIG. 18 is a configuration diagram of the cryptographic processing system 10 that implements the KP-FPRE scheme.

Like the cryptographic processing system 10 illustrated in FIG. 5, the cryptographic processing system 10 includes a key generation device 100, an encryption device 200, a decryption device 300 (re-encryption key generation device), a re-encryption device 400, and a re-encrypted ciphertext decryption device 500.

The key generation device 100 executes the Setup algorithm taking as input a security parameter λ and an attribute format n^(→):=(d; n₁, . . . , n_(d); u₁, . . . , u_(d); z₁, . . . , z_(d)), and thus generates a public parameter pk and a master key sk.

Then, the key generation device 100 publishes the public parameter pk. The key generation device 100 also executes the KG algorithm taking as input an access structure S, and thus generates a decryption key sk_(S), and transmits the decryption key sk_(S) to the decryption device 300 in secrecy. The key generation device 100 also executes the KG algorithm taking as input an access structure S′, and thus generates a decryption key sk_(S′), and transmits the decryption key sk_(S′) to the re-encrypted ciphertext decryption device 500 in secrecy.

The encryption device 200 executes the Enc algorithm taking as input a message m, an attribute set Γ, and the public parameter pk, and thus generates a ciphertext ct_(Γ). The encryption device 200 transmits the ciphertext ct_(Γ) to the re-encryption device 400.

The decryption device 300 executes the RKG algorithm taking as input the public parameter pk, the decryption key sk_(S), and an attribute set Γ′, and thus generates a re-encryption key rk_((S.Γ′)). The decryption device 300 transmits the re-encryption key rk_((S.Γ′)) to the re-encryption device 400 in secrecy.

The decryption device 300 also executes the Dec2 algorithm taking as input the public parameter pk, the decryption key sk_(S), and the ciphertext ct_(Γ), and outputs the message m or the distinguished symbol ⊥.

The re-encryption device 400 executes the REnc algorithm taking as input the public parameter pk, the re-encryption key rk_((S.Γ′)), and the ciphertext ct_(Γ), and thus generates a re-encrypted ciphertext CT_(Γ). The re-encryption device 400 transmits the re-encrypted ciphertext CT_(Γ) to the re-encrypted ciphertext decryption device 500.

The re-encrypted ciphertext decryption device 500 executes the Dec1 algorithm taking as input the public parameter pk, the decryption key sk_(S′), and the re-encrypted ciphertext CT_(Γ′), and outputs the message m or the distinguished symbol 1.

<1-3. Items Used to Implement KP-FPRE Scheme>

To implement the KP-FPRE scheme, key-policy functional encryption (KP-FE) and one-time signature are used. Since both are publicly known techniques, a scheme to be used in the following description will be briefly described. An example of a KP-FE scheme is discussed in Patent Literature 1. One-time signature is as described in Embodiment 1, and description thereof will be omitted.

The KP-FE scheme consists of four algorithms: Setup_(KP-FE), KG_(KP-FE), Enc_(KP-FE), and Dec_(KP-FE).

(Setup_(KP-FE))

A Setup_(KP-FE) algorithm is a probabilistic algorithm that takes as input a security parameter λ and an attribute format n^(→):=(d; n₁, . . . , n_(d)), and outputs a public parameter pk^(KP-FE) and a master key sk^(KP-FE).

(KG_(KP-FE))

A KG_(KP-FE) algorithm is a probabilistic algorithm that takes as input an access structure S=(M, ρ), the public parameter pk^(KP-FE), and the master key sk^(KP-FE), and outputs a decryption key sk_(S) ^(KP-FE)

(Enc_(KP-FE))

An Enc_(KP-FE) algorithm is a probabilistic algorithm that takes as input a message m, an attribute set Γ:={(t, x^(→) _(t))|x^(→) _(t) εF_(q) ^(nt), 1≦t≦d}, and the public parameter pk^(KP-FE), and outputs a ciphertext ψ.

(Dec_(KP-FE))

A Dec_(KP-FE) algorithm is an algorithm that takes as input the ciphertext ψ, the decryption key sk_(S) ^(KP-FE), and the public parameter pk^(KP-FE), and outputs the message m or the distinguished symbol ⊥.

<1-4. KP-FPRE Scheme and Cryptographic Processing System 10 in Detail>

With reference to FIG. 19 through FIG. 29, the KP-FPRE scheme will be described, and the function and operation of the cryptographic processing system 10 that implements the KP-FPRE scheme will be described.

FIG. 19 is a functional block diagram illustrating the function of the key generation device 100. FIG. 20 is a functional block diagram illustrating the function of the encryption device 200. FIG. 21 is a functional block diagram illustrating the function of the decryption device 300. FIG. 22 is a functional block diagram illustrating the function of the re-encryption device 400. FIG. 23 is a functional block diagram illustrating the function of the re-encrypted ciphertext decryption device 500.

FIG. 24 is a flowchart illustrating the operation of the key generation device 100 and illustrating the process of the KG algorithm. FIG. 25 is a flowchart illustrating the operation of the encryption device 200 and illustrating the process of the Enc algorithm. FIG. 26 is a flowchart illustrating the operation of the decryption device 300 and illustrating the process of the RKG algorithm. FIG. 27 is a flowchart illustrating the operation of the re-encryption device 400 and illustrating the process of the REnc algorithm. FIG. 28 is a flowchart illustrating the operation of the re-encrypted ciphertext decryption device 500 and illustrating the process of the Dec1 algorithm. FIG. 29 is a flowchart illustrating the operation of the decryption device 300 and illustrating the process of the Dec2 algorithm.

The function and operation of the key generation device 100 will be described.

The key generation device 100 includes a master key generation part 110, a master key storage part 120, an information input part 130, a decryption key generation part 140, and a key transmission part 150. The decryption key generation part 140 includes a random number generation part 142, a decryption key k* generation part 143, a KP-FE key generation part 144, an f vector generation part 145, and an s vector generation part 146.

The process of the Setup algorithm is the same as the process of the Setup algorithm described in Embodiment 1, and thus description thereof will be omitted. However, in S102 in Embodiment 1, a public parameter pk^(CP-FE) and a master key sk^(CP-FE) of CP-FE are generated, whereas in Embodiment 2 a public parameter pk^(KP-FE) and a master key sk^(KP-FE) of KP-FE are generated. Subbases B̂₀, B̂_(t), B̂*₀, and B̂*_(t) are constructed differently from Embodiment 1, as indicated in Formula 171.

₀:=(b _(0.1) ,b _(0.2) ,b _(0.3) ,b _(0.4) ,b _(0.6)),

_(t):=(b _(t.1) , . . . ,b _(t.n) _(t) ,b _(t.N) _(t) ) for t=1, . . . ,d

*₀:=(b* _(0.1) ,b* _(0.2) ,b* _(0.3) ,b* _(0.4) ,b* _(0.7)),

*_(t):=(b* _(t.1) , . . . ,b* _(t.n) _(t) ,b* _(t.N) _(t+ut+1) , . . . ,b*_(t.n) _(t) _(+u) _(t) _(+z) _(t) ) for t=1, . . . ,d  [Formula 171]

In brief, the key generation device 100 generates a public parameter pk and a master key sk by executing the Setup algorithm indicated in Formula 172-1 and Formula 172-2.

$\begin{matrix} {{{{{Setup}\left( {1^{\lambda},{\overset{\rightarrow}{n} = \left( {{d;n_{1}},\ldots \mspace{14mu},{n_{d};u_{1}},\ldots \mspace{14mu},{u_{d};z_{1}},\ldots \mspace{14mu},z_{d}} \right)}} \right)}:\mspace{20mu} {param}_{}}:={\left( {q,,_{T},g,e} \right)\overset{R}{\leftarrow}{_{bpg}\left( 1^{\lambda} \right)}}},\mspace{20mu} {N_{0}:=7},\mspace{20mu} {N_{t}:={{n_{t} + u_{t} + z_{t} + {1\mspace{14mu} {for}\mspace{14mu} t}} = 1}},\ldots \mspace{14mu},d,\mspace{20mu} {\psi \overset{U}{}_{q}^{x}},{g_{T}:={e\left( {g,g} \right)}^{\psi}},\mspace{20mu} {{{for}\mspace{14mu} t} = 0},\ldots \mspace{14mu},d,{{parm}_{_{t}}:={\left( {q,,_{T},_{T},e} \right)\overset{R}{}{_{dpvs}\left( {1^{\lambda},N_{t},{param}_{}} \right)}}},\mspace{20mu} {X_{t} = {\begin{pmatrix} {{\overset{\rightarrow}{\chi}}_{t},1} \\ \vdots \\ {{\overset{\rightarrow}{\chi}}_{t},N_{t}} \end{pmatrix}:={\left( \chi_{t,i,j} \right)_{i,j}\overset{U}{}{{GL}\left( {N_{t},_{q}} \right)}}}},\mspace{20mu} {\begin{pmatrix} {{\overset{\rightarrow}{v}}_{t},1} \\ \vdots \\ {{\overset{\rightarrow}{v}}_{t},N_{t}} \end{pmatrix}:={\left( v_{t,i,j} \right)_{i,j}:={\psi \cdot \left( X_{t}^{T} \right)^{- 1}}}},} & \left\lbrack {{Formula}\mspace{14mu} 172\text{-}1} \right\rbrack \\ {\mspace{79mu} {{{b_{t.i}:={\sum\limits_{j = 1}^{N_{t}}\; {\chi_{t,i,j}a_{t,j}}}},{_{t}:=\left( {b_{t{.1}},\ldots \mspace{14mu},b_{t.N_{t}}} \right)},\mspace{20mu} {b_{t.i}^{*}:={\sum\limits_{j = 1}^{N_{t}}\; {v_{t,i,j}a_{t,j}}}},{_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.N_{t}}^{*}} \right)},\mspace{20mu} {\left( {{pk}^{{KP} - {FE}},{sk}^{{KP} - {FE}}} \right)\overset{R}{}{{Setup}_{{KP} - {FE}}\left( {1^{\lambda},\overset{\rightarrow}{n}} \right)}}}\mspace{20mu} {{{\hat{}}_{0}:=\left( {b_{0.1},b_{0.2},b_{0.3},b_{0.4},b_{0.6}} \right)},\mspace{79mu} {{\hat{}}_{t}:={{\left( {b_{t{.1}},\ldots \mspace{14mu},b_{t.n_{t}},b_{t.N_{t}}} \right)\mspace{14mu} {for}\mspace{14mu} t} = 1}},\ldots \mspace{14mu},d,\mspace{79mu} {{\hat{}}_{0}^{*}:=\left( {b_{0.1}^{*},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.7}^{*}} \right)},\mspace{79mu} {{\hat{}}_{t}^{*}:=\left( {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots \mspace{14mu},b_{{t.n_{t}} + u_{t} + z_{t}}^{*}} \right)}}\mspace{20mu} {{{{for}\mspace{14mu} t} = 1},\ldots \mspace{14mu},d,\mspace{20mu} {{param}_{\overset{\rightarrow}{n}}:=\left( {\left\{ {param}_{_{t}} \right\}_{{t = 0},\ldots \mspace{14mu},d},g_{T}} \right)},{{pk}:=\left( {{pk}^{{KP} - {FE}},1^{\lambda},{param}_{\overset{\rightarrow}{n}},\left\{ {\hat{}}_{t} \right\}_{{t = 0},\ldots \mspace{14mu},d},b_{0.2}^{*},b_{0.3}^{*},b_{0.4}^{*},b_{0.7}^{*},{{\begin{Bmatrix} {b_{t{.1}}^{*},\ldots \mspace{14mu},b_{t.n_{t}}^{*},b_{{t.n_{t}} + u_{t} + 1}^{*},\ldots \mspace{14mu},} \\ b_{{t.n_{t}} + u_{t} + z_{t}}^{*} \end{Bmatrix}t} = 1},\ldots \mspace{14mu},d} \right)},\mspace{20mu} {{sk}:=\left( {{sk}^{{KP} - {FE}},{\hat{}}_{0}^{*}} \right)},\mspace{20mu} {{return}\mspace{14mu} {pk}},{{sk}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 172\text{-}2} \right\rbrack \end{matrix}$

With reference to FIG. 24, the process of the KG algorithm will be described.

(S801: Information Input Step)

Using the input device, the information input part 130 takes as input an access structure S:=(M, ρ). The matrix M of the access structure S is to be set according to the conditions of a system to be implemented. Attribute information of a user of a decryption key sk_(S) is set in ρ of the access structure S, for example. Note that ρ(i)=(t, v^(→) _(i):=(v_(i.1), . . . , v_(i.nt))εF_(q) ^(nt)\{0^(→)}) (v_(i,nt)≠0).

(S802: KP-FE Decryption Key Generation Step)

Using the processing device, the KP-FE key generation part 144 computes Formula 173, and thus generates a decryption key sk_(S) ^(KP-FE) of functional encryption.

$\begin{matrix} {{sk}_{}^{{KP} - {FE}}\overset{R}{}{{KG}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}^{{KP} - {FE}},} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 173} \right\rbrack \end{matrix}$

(S803: f Vector Generation Step)

Using the processing device, the f vector generation part 145 randomly generates a vector f^(→) having r pieces of elements, as indicated in Formula 174.

$\begin{matrix} {\overset{\rightarrow}{f}\overset{U}{}_{q}^{r}} & \left\lbrack {{Formula}\mspace{14mu} 174} \right\rbrack \end{matrix}$

(S804: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix M included in the access structure S and the vector f^(→), the s vector generation part 146 generates a vector s^(→T):=(s₁, . . . , s_(L))^(T), as indicated in Formula 175.

{right arrow over (s)} ^(T):=(s ₁ , . . . ,s _(L))^(T) :=M·{right arrow over (f)} ^(T)  [Formula 175]

Using the processing device and based on the vector f^(→), the s vector generation part 146 also generates a value so, as indicated in Formula 176.

s ₀:={right arrow over (1)}·{right arrow over (f)} ^(T)  [Formula 176]

(S805: Random Number Generation Step)

Using the processing device, the random number generation part 142 generates random numbers, as indicated in Formula 177.

$\begin{matrix} {{\eta \overset{U}{}_{q}},{{\theta_{i}\mspace{14mu} {for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L},{{{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{}_{q}^{z_{t}}}\mspace{14mu} {for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L}} & \left\lbrack {{Formula}\mspace{14mu} 177} \right\rbrack \end{matrix}$

(S806: Decryption Key k* Generation Step)

Using the processing device, the decryption key k* generation part 143 generates a decryption key k*₀, as indicated in Formula 178.

k* ₀:=(1,−s ₀,0,0,0,0,η

  [Formula 178]

Using the processing device, the decryption key k* generation part 143 also generates a decryption key k*_(i) for each integer i=1, . . . , L, as indicated in Formula 179.

$\begin{matrix} {\mspace{79mu} {{{{{for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L}}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu} {k_{i}^{*}:={\left( {\overset{\overset{n_{t}}{}}{{{s_{i}\mspace{14mu} {\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}\mspace{14mu} {\overset{\rightarrow}{v}}_{i}}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu} \overset{\overset{1}{}}{0}} \right)_{t}^{*}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {k_{i}^{*}:={\left( {\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{\rightarrow}{v}}_{i}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu} \overset{\overset{1}{}}{0}} \right)_{t}^{*}}},}}} & \left\lbrack {{Formula}\mspace{14mu} 179} \right\rbrack \end{matrix}$

(S807: Key Transmission Step)

Using the communication device and via the network, for example, the key transmission part 150 transmits the decryption key sk_(S) having, as elements, the access structure S and the decryption keys k*₀ and k*_(i) to the decryption device 300 in secrecy. As a matter of course, the decryption key sk_(S) may be transmitted to the decryption device 300 by another method.

In brief, in (S801) through (S806), the key generation device 100 generates the decryption key sk_(S) by executing the KG algorithm indicated in Formula 180. In (S807), the key generation device 100 transmits the generated decryption key sk_(S) to the decryption device 300.

$\begin{matrix} {\mspace{79mu} {{{{{KG}\left( {{pk},{sk},{ = \left( {M,\rho} \right)}} \right)}:\mspace{20mu} {{sk}_{}^{{KP} - {FE}}\overset{R}{}{{KG}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}^{{KP} - {FE}},} \right)}}},\mspace{20mu} {\overset{\rightarrow}{f}\overset{U}{}_{q}^{r}},\mspace{20mu} {{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},{s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu} {\eta \overset{U}{}_{q}},\mspace{20mu} {k_{0}^{*}:=\left( {1,{- s_{0}},0,0,0,0,\eta} \right)_{_{0}^{*}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L}}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu} {\theta_{i}\overset{U}{}_{q}},{{\overset{\rightarrow}{\eta}}_{i}\overset{U}{}_{q}^{z_{t}}},\mspace{20mu} {k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{{s_{i}\mspace{14mu} {\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}\mspace{14mu} {\overset{\rightarrow}{v}}_{i}}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu} \overset{\overset{1}{}}{0}} \right)_{_{t}^{*}}},\mspace{20mu} {{{if}\mspace{14mu} \rho (i)} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {{\overset{\rightarrow}{\eta}}_{i}\overset{U}{}_{q}},\mspace{20mu} {k_{i}^{*}:=\left( {\overset{\overset{n_{t}}{}}{{s_{i}\; {\overset{\rightarrow}{v}}_{i}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i},}\mspace{14mu} \overset{\overset{1}{}}{0}} \right)_{_{t}^{*}}},\mspace{20mu} {{sk}_{}:=\left( {{sk}_{}^{{KP} - {FE}},,k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots \mspace{14mu} L}}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{sk}_{}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 180} \right\rbrack \end{matrix}$

In (S801), the key generation device 100 generates a decryption key sk_(S′) by executing the KG algorithm taking as input an access structure S′:=(M, ρ′) in which attribute information of a user of the decryption key sk_(S′) is set. Then, the decryption key sk_(S′):=(S′, k′*₀, k′*_(i)) is transmitted to the re-encrypted ciphertext decryption device 500. Note that ρ′(i)=(t, v^(→)′_(i):=(v′_(i.1), . . . , v_(i.nt))εF_(q) ^(nt)\{0^(→)})(v′_(i,nt)≠0).

The function and operation of the encryption device 200 will be described.

The encryption device 200 includes a public parameter receiving part 210, an information input part 220, a signature processing part 230, an encryption part 240, and a ciphertext transmission part 250. The encryption part 240 includes a random number generation part 243 and a ciphertext c^(enc) generation part 244.

With reference to FIG. 25, the process of the Enc algorithm will be described.

(S901: Public Parameter Receiving Step)

Using the communication device and via the network, for example, the public parameter receiving part 210 receives the public parameter pk generated by the key generation device 100.

(S902: Information Input Step)

Using the input device, the information input part 220 also takes as input an attribute set Γ:={(t, x^(→) _(t):=(x_(t.1), . . . , x_(t.nt) εF_(q) ^(nt)))|1≦t≦d}. Note that t may be at least some of integers from 1 to d, instead of being all of integers from 1 to d. Attribute information of a user capable of decryption is set in the attribute set Γ, for example. Using the input device, the information input part 220 takes as input a message m to be transmitted to the decryption device 300.

(S903: Signature Key Generation Step)

Using the processing device, the signature processing part 230 computes Formula 181, and thus generates a signature key sigk and a verification key verk of one-time signature.

$\begin{matrix} {\left( {{sigk},{verk}} \right)\overset{R}{}{{SigKG}\left( 1^{\lambda} \right)}} & \left\lbrack {{Formula}\mspace{14mu} 181} \right\rbrack \end{matrix}$

(S904: Random Number Generation Step)

Using the processing device, the random number generation part 243 generates random numbers, as indicated in Formula 182.

$\begin{matrix} {\rho,ϛ,\delta,{\phi \overset{U}{}_{q}},{{{\phi_{t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 182} \right\rbrack \end{matrix}$

(S905: Ciphertext c^(enc) Generation Step)

Using the processing device, the ciphertext c^(enc) generation part 232 generates a ciphertext c^(enc) ₀, as indicated in Formula 183.

c ₀ ^(enc):=(ζ,δ,ρ(verk,1),0,ρ,0)

₀  [Formula 183]

Using the processing device, the ciphertext c^(enc) generation part 232 generates a ciphertext c^(enc) _(t) for each integer t included in the attribute information Γ, as indicated in Formula 184.

$\begin{matrix} {c_{t}^{enc}:={{\left( {\overset{\overset{n_{t}}{}}{{\delta \; {\overset{\rightarrow}{x}}_{t}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{0^{z_{t}},}\mspace{14mu} \overset{\overset{1}{}}{\phi_{t}}} \right)_{_{t}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 184} \right\rbrack \end{matrix}$

Using the processing device, the ciphertext c^(enc) generation part 232 also generates a ciphertext C^(enc) _(d+1), as indicated in Formula 185.

c _(d+1) ^(enc) =m·g _(T) ^(ζ)  [Formula 185]

(S906: Signature Generation Step)

Using the processing device, the signature processing part 230 computes Formula 186, and thus generates a signature Sig for an element C:=(S, c^(enc) ₀, {c^(enc) _(t)}_((t,xt→)εΓ), c^(enc) _(d+1)) of the ciphertext ct_(Γ).

$\begin{matrix} {{Sig}\overset{R}{}{{Sig}\left( {{sigk},{C = \left( {,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc}} \right)}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 186} \right\rbrack \end{matrix}$

(S907: Ciphertext Transmission Step)

Using the communication device and via the network, for example, the ciphertext transmission part 250 transmits the ciphertext ct_(Γ) having, as elements, the attribute set Γ, the ciphertexts c^(enc) ₀, c^(enc) _(t), and c^(enc) _(d+1), the verification key verk, and the signature Sig to the decryption device 300. As a matter of course, the ciphertext ct_(Γ) may be transmitted to the decryption device 300 by another method.

In brief, in (S901) through (S906), the encryption device 200 generates the ciphertext ct_(Γ) by executing the Enc algorithm indicated in Formula 187. In (S907), the encryption device 200 transmits the generated ciphertext ct_(Γ) to the decryption device 300.

$\begin{matrix} {{Enc}\left( {{pk},m,{\Gamma = {\left( \left\{ {\left. \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \middle| {{\overset{\rightarrow}{x}}_{t} \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}} \right.,{1 \leq t \leq d}} \right\} \right):\mspace{20mu} {\left( {{sigk},{verk}} \right)\overset{R}{}{{SigKG}\left( 1^{\lambda} \right)}}}},\mspace{20mu} \rho,Ϛ,\delta,\phi,{{{\phi_{t}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma},\mspace{20mu} {c_{0}^{enc}:=\left( {Ϛ,\delta,{\rho \left( {{verk},1} \right)},0,\phi,0} \right)_{_{0}}},\mspace{20mu} {{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma \mspace{20mu} c_{t}^{enc}}}:=\left( {\overset{\overset{n_{t}}{}}{{\delta \; {\overset{\rightarrow}{x}}_{t}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{0^{z_{t}},}\mspace{14mu} \overset{\overset{1}{}}{\phi_{t}}} \right)_{_{t}}},\mspace{20mu} {c_{d + 1}^{enc} = {m \cdot g_{T}^{Ϛ}}},{{Sig}\overset{R}{}{{Sig}\left( {{sigk},{C = \left( {,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc}} \right)}} \right)}},\mspace{20mu} {{ct}_{\Gamma}\left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{verk},{Sig}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{ct}_{\Gamma}.}}} \right.} & \left\lbrack {{Formual}\mspace{14mu} 187} \right\rbrack \end{matrix}$

The function and operation of the decryption device 300 will be described.

The decryption device 300 includes a decryption key receiving part 310, an information input part 320, a re-encryption key generation part 330, a re-encryption key transmission part 340, a ciphertext receiving part 350, a verification part 360, a complementary coefficient computation part 370, a pairing operation part 380, and a message computation part 390. The re-encryption key generation part 330 includes a random number generation part 331, a conversion information W₁ generation part 332, a conversion information W₁ encryption part 333, a decryption key k*^(rk) generation part 334, a conversion part 335, an f vector generation part 336, and an s vector generation part 337. The verification part 360 includes a span program computation part 361 and a signature verification part 362.

With reference to FIG. 26, the process of the RKG algorithm will be described. The Dec2 algorithm will be described later.

(S1001: Decryption Key Receiving Step)

Using the communication device and via the network, for example, the decryption key receiving part 310 receives the decryption key sk_(S) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S1002: Information Input Step)

Using the input device, the information input part 320 takes as input an attribute set Γ′:={(t, x′^(→) _(t):=(x′^(→) _(t.1), . . . , x_(t.nt) εF_(q) ^(nt)\{0^(→)}))|1≦t≦d}. Note that t may be at least some of integers from 1 to d, instead of being all of integers from 1 to d. Attribute information of a user who can decrypt a re-encrypted ciphertext CT_(Γ) is set in the attribute set Γ′, for example.

(S1003: Random Number Generation Step)

Using the processing device, the random number generation part 331 generates random numbers, as indicated in Formula 188.

$\begin{matrix} {{\eta^{\prime}\overset{U}{}_{q}},{{{\theta_{i}^{\prime}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{{\eta_{i}^{\prime}\overset{U}{}_{q}^{z_{t}}}\mspace{14mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L} & \left\lbrack {{Formual}\mspace{14mu} 188} \right\rbrack \end{matrix}$

(S1004: f Vector Generation Step)

Using the processing device, the f vector generation part 336 randomly generates a vector f^(→)′ having r pieces of elements, as indicated in Formula 189.

$\begin{matrix} {{\overset{\rightarrow}{f}}^{\prime}\overset{R}{}_{q}^{r}} & \left\lbrack {{Formual}\mspace{14mu} 189} \right\rbrack \end{matrix}$

(S1005: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix M included in the access structure S and the vector f^(→)′, the s vector generation part 337 generates a vector s^(→′T), as indicated in Formula 190.

{right arrow over (s)}′ ^(T):=(s′ ₁ , . . . ,s′ _(L))^(T) :=M′·{right arrow over (f)}′ ^(T)  [Formula 190]

Using the processing device and based on the vector f^(→)′, the s vector generation part 337 also generates a value s_(0′), as indicated in Formula 191.

s′ ₀:={right arrow over (1)}·{right arrow over (f)}′ ^(T)  [Formula 191]

(S1006: Conversion Information W₁ Generation Step)

Using the processing device, the conversion information W₁ generation part 332 generates conversion information W₁, as indicated in Formula 192.

$\begin{matrix} {W_{1}\overset{R}{}{{GL}\left( {7,_{q}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 192} \right\rbrack \end{matrix}$

(S1007: Conversion Information W₁ Encryption Step)

Using the processing device, the conversion information W₁ encryption part 333 computes Formula 193, and thus encrypts the conversion information W₁ with functional encryption and generates encrypted conversion information ψ^(rk). Since the conversion information W₁ is encrypted with functional encryption on input of the attribute information Γ′, the conversion information W₁ is encrypted with the attribute information of the user who can decrypt the re-encrypted ciphertext CT_(Γ′) being set.

$\begin{matrix} {\psi^{rk}\overset{R}{}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{1}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 193} \right\rbrack \end{matrix}$

(S1008: Decryption Key k*^(rk) Generation Step)

Using the processing device, the decryption key generation part 334 generates a decryption key k*^(rk) ₀, as indicated in Formula 194.

k* ₀ ^(rk):=(k* ₀+(0,−s′ ₀,0,0,0,0,η′)

_(*0))W ₁  [Formula 194]

Using the processing device, the decryption key generation part 334 also generates a decryption key k*^(rk) _(i) for each integer i=1, . . . , L, as indicated in Formula 195.

$\begin{matrix} {\mspace{79mu} {{{{{for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L}}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu} {k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{}}{{{s_{i}^{\prime}\mspace{20mu} {\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}\mspace{14mu} {\overset{\rightarrow}{v}}_{i}}},}\mspace{20mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{25mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{25mu} \overset{\overset{1}{}}{0}} \right)_{_{t}^{*}}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{}}{{s_{i}^{\prime}\mspace{11mu} {\overset{\rightarrow}{v}}_{i}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{25mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{20mu} \overset{\overset{1}{}}{0}} \right)_{_{t}^{*}}}},}}} & \left\lbrack {{Formual}\mspace{14mu} 195} \right\rbrack \end{matrix}$

(S1009: Conversion Step)

Using the processing device, the conversion part 335 computes Formula 196, and thus generates a basis D̂*₀.

d* _(0.i) :=b* _(0.i) W ₁ for i=2,3,4,7,

*₀:=(d* _(0.2) ,d* _(0.3) ,d* _(0.4) ,d* _(0.7)),  [Formula 196]

(S1010: Key Transmission Step)

Using the communication device and via the network, for example, the re-encryption key transmission part 340 transmits the re-encryption key rk_((S.Γ′)) having, as elements, the access structure S, the attribute set Γ′, the decryption keys k*^(rk) ₀ and k*^(rk) _(i), the encrypted conversion information ψ^(rk), and the basis D^(̂*) ₀ to the re-encryption device 400 in secrecy. As a matter of course, the re-encryption key rk_((S.Γ′)) may be transmitted to the re-encryption device 400 by another method.

In brief, in (S1001) through (S1009), the decryption device 300 generates the re-encryption key rk_((S.Γ′)) by executing the RKG algorithm indicated in Formula 197. In (S1010), the decryption device 300 transmits the generated re-encryption key rk_((S.Γ′)) to the re-encryption device 400.

$\begin{matrix} {\mspace{79mu} {{{{{RKG}\left( {{pk},{{sk}_{} = \left( {{sk}_{}^{{KP} - {FE}},,k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots \mspace{14mu} L}}} \right)},\Gamma^{\prime}} \right)}:\mspace{20mu} {\eta^{\prime}\overset{U}{}_{q}}},{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{}_{q}^{r}},{{\overset{\rightarrow}{s}}^{\prime \; T}:={\left( {s_{1}^{\prime},\ldots \mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M^{\prime} \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}}},{s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}},\mspace{20mu} {W_{1}\overset{R}{}{{GL}\left( {7,_{q}} \right)}},\mspace{20mu} {\psi^{rk}\overset{R}{}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{1}} \right)}},\mspace{20mu} {k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,{- s_{0}^{\prime}},0,0,0,0,\eta^{\prime}} \right)_{_{0}^{*}}} \right)W_{1}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L}}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i,n_{t}} \neq 0} \right)}},\mspace{20mu} {\theta_{i}^{\prime}\overset{U}{}_{q}},{\eta_{i}^{\prime}\overset{U}{}_{q}^{z_{t}}}}\mspace{20mu} {{k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{}}{{{s_{i}^{\prime}\mspace{20mu} {\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}\mspace{14mu} {\overset{\rightarrow}{v}}_{i}}},}\overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{14mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{14mu} \overset{\overset{1}{}}{0}} \right)_{_{t}^{*}}}},\mspace{20mu} {{{if}\mspace{14mu} \rho (i)} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {\eta_{i}^{\prime}\overset{U}{}_{q}^{z_{t}}}}\mspace{20mu} {{k_{i}^{*{rk}}:={k_{i}^{*} + \left( {\overset{\overset{n_{t}}{}}{{s_{i}^{\prime}\mspace{11mu} {\overset{\rightarrow}{v}}_{i}},}\mspace{14mu} \overset{\overset{u_{t}}{}}{0^{u_{t}},}\mspace{20mu} \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{\prime},}\mspace{14mu} \overset{\overset{1}{}}{0}} \right)_{_{t}^{*}}}},\mspace{20mu} {d_{0,i}^{*}:={{b_{0.i}^{*}W_{1}\mspace{14mu} {for}\mspace{14mu} i} = 2}},3,4,7,\mspace{79mu} {{\hat{}}_{0}^{*}:=\left( {d_{0.2}^{*},d_{0.3}^{*},d_{0.4}^{*},d_{0.7}^{*}} \right)},\mspace{20mu} {{rk}_{({.\Gamma^{\prime}})}:=\left( {,\Gamma^{\prime},k_{0}^{*{rk}},\left\{ k_{i}^{*{rk}} \right\}_{{i = 1},\ldots \mspace{14mu},L},\psi^{rk},{\hat{}}_{0}^{*}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{rk}_{({.\Gamma^{\prime}})}.}}}}} & \left\lbrack {{Formual}\mspace{14mu} 197} \right\rbrack \end{matrix}$

The function and operation of the re-encryption device 400 will be described.

The re-encryption device 400 includes a public parameter receiving part 410, a ciphertext receiving part 420, a re-encryption key receiving part 430, a verification part 440, an encryption part 450, and a re-encrypted ciphertext transmission part 460. The verification part 440 includes a span program computation part 441 and a signature verification part 442. The encryption part 450 includes a random number generation part 451, an f vector generation part 452, an s vector generation part 453, a conversion information W₂ generation part 454, a conversion information W₂ encryption part 455, a ciphertext c^(renc) generation part 456, and a decryption key k*^(renc) generation part 457.

With reference to FIG. 27, the process of the REnc algorithm will be described.

(S1101: Public Parameter Receiving Step)

Using the communication device and via the network, for example, the public parameter receiving part 410 receives the public parameter pk generated by the key generation device 100.

(S1102: Ciphertext Receiving Step)

Using the communication device and via the network, for example, the ciphertext receiving part 420 receives the ciphertext ct_(Γ) transmitted by the encryption device 200.

(S1103: Re-Encryption Key Receiving Step)

Using the communication device and via the network, for example, the re-encryption key receiving part 430 receives the re-encryption key rk_((S.Γ′)) transmitted by the decryption device 300.

(S1104: Span Program Computation Step)

Using the processing device, the span program computation part 441 determines whether or not the access structure S included in the re-encryption key rk_((S.Γ′)) accepts Γ included in the ciphertext ct_(Γ). The method for determining whether or not the access structure S accepts Γ is as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S1104), the span program computation part 441 advances the process to (S1105). If the access structure S rejects Γ (reject in S1104), the span program computation part 441 ends the process.

(S1105: Signature Verification Step)

Using the processing device, the signature verification part 442 determines whether or not a result of computing Formula 198 is 1. If the result is 1 (valid in S1105), the signature verification part 442 advances the process to (S1106). If the result is 0 (invalid in S1105), the signature verification part 442 ends the process.

Ver(verk,C=(Γ,c ₀ ^(enc) ,{c _(t) ^(enc)}_((t,{right arrow over (x)}) _(t) ₎ εΓ,c _(d+1) ^(enc)),Sig)  [Formula 198]

(S1106: Random Number Generation Step)

Using the processing device, the random number generation part 451 generates random numbers, as indicated in Formula 199.

$\begin{matrix} {\sigma,Ϛ^{\prime},\delta^{\prime},\rho^{\prime},\phi^{\prime},\eta^{''},{{{\theta_{i}^{''}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{{{\overset{\rightarrow}{\eta}}_{i}^{''}\overset{U}{}_{q}^{z_{t}}}\mspace{14mu} {for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L,{{{\phi_{t}^{\prime}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} \left( {t,x_{t}^{\prime}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 199} \right) \end{matrix}$

(S1107: f Vector Generation Step)

Using the processing device, the f vector generation part 452 randomly generates a vector f^(→)″ having r pieces of elements, as indicated in Formula 200.

$\begin{matrix} {{\overset{\rightarrow}{f}}^{''}\overset{R}{}_{q}^{r}} & \left\lbrack {{Formual}\mspace{14mu} 200} \right\rbrack \end{matrix}$

(S1108: s Vector Generation Step)

Using the processing device and based on the (L rows×r columns) matrix M included in the access structure S and the vector f^(→)″, the s vector generation part 453 generates a vector s^(→)″^(T), as indicated in Formula 201.

{right arrow over (s)}″ ^(T):=(s″ ₁ , . . . ,S″ _(L))^(T) :=M·{right arrow over (f)}″ ^(T)  [Formula 201]

Using the processing device and based on the vector f^(→)″, the s vector generation part 453 also generates a value s₀″, as indicated in Formula 202.

s″ ₀:={right arrow over (1)}·{right arrow over (f)}″ ^(T)  [Formula 202]

(S1109: Conversion Information W₂ Generation Step)

Using the processing device, the conversion information W₂ generation part 454 generates conversion information W₂, as indicated in Formula 203.

$\begin{matrix} {W_{2}\overset{R}{}{{GL}\left( {7,_{q}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 203} \right\rbrack \end{matrix}$

(S1110: Conversion Information W₂ Encryption Step)

Using the processing device, the conversion information W₂ encryption part 455 computes Formula 204, and thus encrypts the conversion information W₂ with functional encryption and generates encrypted conversion information ψ^(renc). Since the conversion information W₂ is encrypted with functional encryption on input of the attribute information Γ′, the conversion information W₂ is encrypted with the attribute information of the user who can decrypt the re-encrypted ciphertext CT_(Γ)′ being set.

$\begin{matrix} {\psi^{renc}\overset{R}{}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{2}} \right)}} & \left\lbrack {{Formual}\mspace{14mu} 204} \right\rbrack \end{matrix}$

(S1111: Ciphertext c^(renc) Generation Step)

Using the processing device, the ciphertext c^(renc) generation part 456 generates a ciphertext c^(renc) ₀, as indicated in Formula 205.

c ₀ ^(renc):=(c ₀ ^(enc)+(ζ′,δ′,ρ′(verk,1),0,φ′,0)

₀)W ₂  [Formula 205]

Using the processing device, the ciphertext c^(renc) generation part 456 also generates a ciphertext c^(renc) _(t) for each integer t included in the attribute information Γ, as indicated in Formula 206.

$\begin{matrix} {{c_{t}^{renc}:={c_{t}^{enc} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{}}{{0\; z_{t}},} & \overset{\overset{1}{}}{\phi_{t}^{\prime}} \end{pmatrix}_{_{t}}}}{{{for}\mspace{14mu} \left( {t,x_{t}} \right)} \in \Gamma}} & \left\lbrack {{Formula}\mspace{14mu} 206} \right\rbrack \end{matrix}$

Using the processing device, the ciphertext c^(renc) generation part 456 also generates a ciphertext c^(renc) _(d+1), as indicated in Formula 207.

c _(d+1) ^(renc) =c _(d+1) ^(enc) ·g _(T) ^(ζ′)  [Formula 207]

(S1112: Decryption Key k*^(renc) Generation Step)

Using the processing device, the decryption key k*^(renc) generation part 457 generates a decryption key k*^(renc) ₀, as indicated in Formula 208.

k* ₀ ^(renc) :=k* ₀ ^(rk)+(0,−s″ ₀,σ(−1,verk),0,0,η″)

*₀  [Formula 208]

Using the processing device, the decryption key k*^(renc) generation part 457 also generates a decryption key k*^(renc) _(i) for each integer i=1, . . . , L, as indicated in Formula 209.

$\begin{matrix} {\mspace{79mu} {{{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i.n_{t}} \neq 0} \right)}}\mspace{20mu} {{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{{s_{i}^{''}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{''}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{s_{i}^{''}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 209} \right\rbrack \end{matrix}$

(S1113: Re-Encrypted Ciphertext Transmission Step)

Using the communication device and via the network, for example, the re-encrypted ciphertext transmission part 460 transmits the re-encrypted ciphertext CT_(Γ)′ having, as elements, the attribute set Γ′, the access structure S, the attribute set Γ, the decryption keys k*^(renc) ₀ and k*^(renc) _(i), the ciphertexts c^(renc) ₀, c^(renc) _(t), and c^(renc) _(d+1), the encrypted conversion information ψ^(rk), and the encrypted conversion information ψ^(renc) to the re-encryption device 400 in secrecy. As a matter of course, the re-encrypted ciphertext CT_(Γ′) may be transmitted to the re-encryption device 400 by another method.

In brief, in (S1101) through (S1112), the re-encryption device 400 generates the re-encrypted ciphertext CT_(Γ′) by executing the REnc algorithm indicated in Formula 210-1 and Formula 210-2. In (S1113), the re-encryption device 400 transmits the generated re-encrypted ciphertext CT_(Γ′) to the re-encrypted ciphertext decryption device 500.

$\begin{matrix} {{{{{REnc}\left( {{{rk}_{({,\Gamma^{\prime}})} = \left( {,\Gamma^{\prime},k_{0}^{*{rk}},{\left\{ k_{i}^{*{rk}} \right\}_{{i = 1},\ldots \mspace{14mu},L}\psi^{rk}},{\hat{}}_{0}^{*}} \right)},\mspace{20mu} {{ct}_{\Gamma} = \left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{verk},{Sig}} \right)}} \right)}:\mspace{20mu} {{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}},{{and}\mspace{14mu} {{Ver}\left( {{verk},{C = {\left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{Sig}} \right) = {1{then}\mspace{14mu} {compute}\mspace{14mu} {following}\mspace{14mu} c_{0}^{renc}}}},\left\{ c_{t}^{renc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{renc},k^{*{renc}},\mspace{20mu} {{and}\mspace{14mu} \left\{ k^{*{renc}} \right\}_{{i = 0},\ldots \mspace{14mu},L}\mspace{20mu} \sigma},\zeta^{\prime},\delta^{\prime},\rho^{\prime},\phi^{\prime},{\eta^{''}\overset{U}{}_{q}},\mspace{20mu} {{{\phi_{t}^{\prime}\overset{U}{}_{q}}\mspace{14mu} {for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {\Gamma {{\overset{\rightarrow}{f}}^{''}\overset{R}{}_{q}^{r}}}},{{{\overset{\rightarrow}{s}}^{''}T}:={\left( {s_{1}^{''},\ldots \mspace{14mu},s_{L}^{''}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{''\; T}}}},{s_{0}^{''}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{''\; T}}},\mspace{20mu} {W_{2}\overset{R}{}{{GL}\left( {7,_{q}} \right)}},\mspace{20mu} {\psi^{renc}\overset{R}{}{{Enc}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},\Gamma^{\prime},W_{2}} \right)}},} \right.}}} & \left\lbrack {{Formula}\mspace{14mu} 210\text{-}1} \right\rbrack \\ {{{c_{0}^{renc}:={\left( {c_{0}^{enc} + \left( {\zeta^{\prime},\delta^{\prime},{\rho^{\prime}\left( {{verk},1} \right)},0,\phi^{\prime},0} \right)_{_{0}}} \right)W_{2}}},\mspace{79mu} {c_{t}^{renc}:={c_{t}^{enc} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}},} & \overset{\overset{u_{t}}{}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{}}{{0\; z_{t}},} & \overset{\overset{1}{}}{\phi_{t}^{\prime}} \end{pmatrix}_{_{t}}}}}\mspace{20mu} {{{for}\mspace{14mu} \left( {t,x_{t}} \right)} \in \Gamma}\mspace{20mu} {{c_{d + 1}^{renc} = {c_{d + 1}^{enc} \cdot g_{T}^{\zeta^{\prime}}}},{k_{0}^{*{renc}}:={k_{0}^{*{rk}} + \left( {0,{- s_{0}^{''}},{\sigma \left( {{- 1},{verk}} \right)},0,0,\eta^{''}} \right)_{_{0}^{*}}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}{{{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{{\overset{\rightarrow}{v}}_{i}:={\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right) \in {_{q}^{n_{t}}\backslash \left\{ \overset{\rightarrow}{0} \right\}}}}} \right)\left( {v_{i.n_{t}} \neq 0} \right)}},\mspace{20mu} {\theta_{i}^{''}\overset{U}{}_{q}},{\eta_{i}^{''}\overset{U}{}_{q}^{z_{t}}},{k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{{s_{i}^{''}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{''}{\overset{\rightarrow}{v}}_{i}}},} & \overset{\overset{u_{t}}{}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {\eta_{i}^{''}\overset{U}{}_{q}},\mspace{20mu} {k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \begin{pmatrix} \overset{\overset{n_{t}}{}}{{s_{i}^{''}{\overset{\rightarrow}{v}}_{i}},} & \overset{\overset{u_{t}}{}}{{0\; u_{t}},} & \overset{\overset{z_{t}}{}}{{\overset{\rightarrow}{\eta}}_{i}^{''},} & \overset{\overset{1}{}}{0} \end{pmatrix}_{_{t}^{*}}}}}{{{CT}_{\Gamma^{\prime}}:=\left( {\Gamma^{\prime},,\Gamma,k_{0}^{*{renc}},\left\{ k_{i}^{*{renc}} \right\}_{{i = 1},\ldots \mspace{14mu},L},{c_{0}^{renc}\left\{ c_{t}^{renc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}}\}} \in \Gamma^{\prime}}},c_{d + 1}^{renc},c_{d + 1}^{rk},c_{d + 1}^{enc}} \right)},\mspace{20mu} {{return}\mspace{14mu} {{CT}_{\Gamma^{\prime}}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 210\text{-}2} \right\rbrack \end{matrix}$

The function and operation of the re-encrypted ciphertext decryption device 500 will be described.

The re-encrypted ciphertext decryption device 500 includes a decryption key receiving part 510, a ciphertext receiving part 520, a span program computation part 530, a complementary coefficient computation part 540, a conversion information generation part 550, a conversion part 560, a pairing operation part 570, and a message computation part 580. The pairing operation part 570 and the message computation part 580 will be referred to collectively as a decryption part.

With reference to FIG. 28, the process of the Dec1 algorithm will be described.

(S1201: Decryption Key Receiving Step)

Using the communication device and via the network, for example, the decryption key receiving part 510 receives the decryption key sk_(S′) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S1202: Ciphertext Receiving Step)

Using the communication device and via the network, for example, the ciphertext receiving part 520 receives the re-encrypted ciphertext CT_(Γ) transmitted by the re-encryption device 400.

(S1203: Span Program Computation Step)

Using the processing device, the span program computation part 530 determines whether or not the access structure S included in the re-encrypted ciphertext CT_(Γ) accepts Γ included in the re-encrypted ciphertext CT_(Γ), and determines whether or not the access structure S′ included in the decryption key sk_(S′) accepts Γ′ included in the re-encrypted ciphertext CT_(Γ). The method for determining whether or not the access structure S accepts Γ and whether or not the access structure S′ accepts Γ′ is as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ and the access structure S′ accepts Γ′ (accept in S1203), the span program computation part 530 advances the process to (S1204). If the access structure S rejects Γ or the access structure S′ rejects Γ′ (reject in S1203), the span program computation part 530 ends the process.

(S1204: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computation part 540 computes I and a constant (complementary coefficient) {α_(i)}_(iεI) such that Formula 211 is satisfied.

$\begin{matrix} {\mspace{85mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \begin{Bmatrix} \left. {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \right| \\ {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \\ {\quad\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \end{Bmatrix}}}}} & \left\lbrack {{Formula}\mspace{14mu} 211} \right\rbrack \end{matrix}$

(S1205: Conversion Information Generation Step)

Using the processing device, the conversion information generation part 550 generates conversion information W₁ ^(˜) and W₂ ^(˜), as indicated in Formula 212.

$\begin{matrix} {{{\overset{\sim}{W}}_{1}\overset{R}{}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{rk}} \right)}},{{\overset{\sim}{W}}_{2}\overset{R}{}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{renc}} \right)}}} & \left\lbrack {{Formula}\mspace{14mu} 212} \right\rbrack \end{matrix}$

Using the processing device, the conversion part 560 converts the basis of the decryption key k*^(renc) ₀ and thus generates a decryption key k*₀ ^(˜), and converts the basis of the ciphertext c^(renc) ₀ and thus generates a ciphertext c₀ ^(˜), as indicated in Formula 213.

{tilde over (k)}* ₀ :=k* ₀ ^(renc) W ₁ ⁻¹,

{tilde over (c)} ₀ :=c ₀ ^(renc) W ₂ ⁻¹  [Formula 213]

(S1207: Pairing Operation Step)

Using the processing device, the pairing operation part 570 computes Formula 214, and thus generates a session key K^(˜).

$\begin{matrix} {\overset{\sim}{K}:={{e\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 214} \right\rbrack \end{matrix}$

(S1208: Message Computation Step)

Using the processing device, the message computation part 390 computes m′=c^(enc) _(d+1)/K^(˜), and thus generates a message m′(=m).

In brief, in (S1201) through (S1208), the re-encrypted ciphertext decryption device 500 generates the message m′(=m) by executing the Dec1 algorithm indicated in Formula 215.

$\begin{matrix} {\mspace{79mu} {{{{{{Dec}_{1}\left( {{pk},{{sk}_{^{\prime}} = \left( {{sk}_{^{\prime}}^{{KP} - {FE}},^{\prime},k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots \mspace{14mu} L}}} \right)},\mspace{20mu} {{CT}_{\Gamma^{\prime}} = \left( {\Gamma^{\prime},,\Gamma,k_{0}^{*{renc}},\left\{ k_{i}^{renc} \right\}_{{i = 1},\ldots \mspace{14mu},L},\mspace{20mu} {c_{0}^{renc}\left\{ c_{t}^{renc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma^{\prime}}},c_{d + 1}^{renc},c_{d + 1}^{rk},c_{d + 1}^{enc}} \right)}} \right)}:{{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}}:={{\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\} \mspace{14mu} {and}\mspace{14mu} ^{\prime}\mspace{14mu} {accepts}\mspace{14mu} \Gamma^{\prime}}:=\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\}}},\mspace{20mu} {{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}}}\mspace{20mu} {\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}\mspace{20mu} {{{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M},{{{and}\mspace{14mu} I} \subseteq \begin{Bmatrix} \left. {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \right| \\ {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \\ {\quad\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \end{Bmatrix}},\mspace{20mu} {{\overset{\sim}{W}}_{1}\overset{R}{}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{rk}} \right)}},\mspace{20mu} {{\overset{\sim}{W}}_{2}\overset{R}{}{{Dec}_{{KP} - {FE}}\left( {{pk}^{{KP} - {FE}},{sk}_{\Gamma}^{{KP} - {FE}},\psi^{renc}} \right)}},\mspace{20mu} {{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},\mspace{20mu} {{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}},{\overset{\sim}{K}:={{e\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}}\mspace{20mu} {{m^{\prime}:={c_{d + 1}^{enc}/\overset{\sim}{K}}},\mspace{20mu} {{return}\mspace{14mu} {m^{\prime}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 215} \right\rbrack \end{matrix}$

With reference to FIG. 29, the process of the Dec2 algorithm will be described.

(S1301: Decryption Key Receiving Step)

Using the communication device and via the network, for example, the decryption key receiving part 310 receives the decryption key sk_(S) transmitted by the key generation device 100. The decryption key receiving part 310 also receives the public parameter pk generated by the key generation device 100.

(S1302: Ciphertext Receiving Step)

Using the communication device and via the network, for example, the ciphertext receiving part 350 receives the ciphertext ct_(Γ) transmitted by the re-encryption device 400.

(S1303: Span Program Computation Step)

Using the processing device, the span program computation part 361 determines whether or not the access structure S included in the decryption key sk_(S) accepts Γ included in the ciphertext ct_(Γ). The method for determining whether or not the access structure S accepts Γ is as described in “3. Concept for Implementing FPRE” in Embodiment 1.

If the access structure S accepts Γ (accept in S1303), the span program computation part 361 advances the process to (S1304). If the access structure S rejects Γ (reject in S1303), the span program computation part 361 ends the process.

(S1304: Signature Verification Step)

Using the processing device, the signature verification part 362 determines whether or not a result of computing Formula 216 is 1. If the result is 1 (valid in S1304), the signature verification part 442 advances the process to (S1305). If the result is 0 (invalid in S1304), the signature verification part 442 ends the process.

Ver(verk,C=(Γ,c ₀ ^(enc) ,{c _(t) ^(enc)}_((t,x) _(t) _()εΓ) ,c _(d+1) ^(enc)),Sig)  [Formula 216]

(S1305: Complementary Coefficient Computation Step)

Using the processing device, the complementary coefficient computation part 370 computes I and a constant (complementary coefficient) {α_(i)}_(iεI) such that Formula

$\begin{matrix} {\mspace{79mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}}}}\mspace{20mu} {{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M}\; {{{and}\mspace{14mu} I} \subseteq \begin{Bmatrix} \left. {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \right| \\ {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \\ {\quad\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \end{Bmatrix}}}} & \left\lbrack {{Formula}\mspace{14mu} 217} \right\rbrack \end{matrix}$

(S1306: Pairing Operation Step)

Using the processing device, the pairing operation part 570 computes Formula 128, and thus generates a session key K.

$\begin{matrix} {K:={{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{t}^{renc},k_{i}^{*}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{t}^{enc},k_{i}^{*}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{i}} \right)}}}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 218} \right\rbrack \end{matrix}$

(S1307: Message Computation Step)

Using the processing device, the message computation part 390 computes m′=c^(enc) _(d+1)/K, and thus generates a message m′(=m).

In brief, in (S1301) through (S1307), the decryption device 300 generates the message m′(=m) by executing the Dec2 algorithm indicated in Formula 219.

$\begin{matrix} {\mspace{79mu} {{{{{Dec}_{2}\left( {{pk},{{sk}_{} = \left( {{sk}_{}^{{KP} - {FE}},,k_{0}^{*},\left\{ k_{i}^{*} \right\}_{{i = 1},{\ldots \mspace{14mu} L}}} \right)},\mspace{20mu} {{ct}_{\Gamma} = \left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc},{verk},{Sig}} \right)}} \right)}:\mspace{20mu} {{If}\mspace{14mu} \mspace{14mu} {accepts}\mspace{14mu} \Gamma}}:={\left\{ \left( {t,{\overset{\rightarrow}{x}}_{t}} \right) \right\} \mspace{14mu} {and}}}\text{}{{{{Ver}\left( {{verk},{C = \left( {\Gamma,c_{0}^{enc},\left\{ c_{t}^{enc} \right\}_{{({t,{\overset{\rightarrow}{x}}_{t}})} \in \Gamma},c_{d + 1}^{enc}} \right)},{Sig}} \right)} = 1},\mspace{20mu} {{then}\mspace{14mu} {compute}\mspace{14mu} I\mspace{14mu} {and}\mspace{14mu} \left\{ \alpha_{i} \right\}_{i \in I}\mspace{14mu} {such}\mspace{14mu} {that}}}\mspace{20mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}\mspace{20mu} {{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M}}}},{{{and}\mspace{14mu} I} \subseteq \begin{Bmatrix} \left. {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \right| \\ {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \\ {\quad\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \end{Bmatrix}},{K:={{{e\left( {c_{0}^{enc},k_{0}^{*}} \right)} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{t}^{enc},k_{i}^{*}} \right)} {\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{t}^{enc},k_{i}^{*r}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}\mspace{20mu} m^{\prime}}}}}}}:={c_{d + 1}^{enc}/K}}},\mspace{20mu} {{return}\mspace{14mu} {m^{\prime}.}}}}} & \left\lbrack {{Formula}\mspace{14mu} 219} \right\rbrack \end{matrix}$

As described above, the cryptographic system according to Embodiment 2 can implement the KP-FPRE scheme. Thus, a ciphertext can be forwarded to a set of various types of users with a single re-encryption key.

As a result, for example, various ciphertexts existing on a network can be securely forwarded to users having various attributes, without decrypting the ciphertexts. It is thus possible to securely and practically entrust processing of ciphertexts to a trusted third party.

It has been described that the decryption device 300 also functions as a re-encryption key generation device, and that the decryption device 300 executes the RKG algorithm as well as the Dec2 algorithm. However, the decryption device 300 and the re-encryption key generation device may be implemented separately. In this case, the decryption device 300 executes the Dec2 algorithm, and the re-encryption key generation device executes the RKG algorithm. In this case, therefore, the decryption device 300 includes functional components that are required to execute the Dec2 algorithm, and the re-encryption key generation device includes functional components that are required to execute the RKG algorithm.

In the above embodiments, it has been described that the re-encryption device 400 re-encrypts a ciphertext and changes the destination of the ciphertext, assuming a case where a message is encrypted with FE and transmitted to the destination.

FE can be used not only to encrypt a message and transmit the encrypted message to the destination, but also to implement searchable encryption which allows searching without decrypting a ciphertext. When searchable encryption is implemented with FE, a specified search keyword can be changed with the algorithms described in the above embodiments.

In the above embodiments, a user capable of decryption is specified by attribute information which is set in a ciphertext. Then, the destination of the ciphertext is changed by changing the attribute information. When searchable encryption is implemented with FE, a part of attribute information which is set in a ciphertext specifies a user capable of searching, and a part of the remaining attribute information specifies a search keyword. Thus, it is possible to change the specified keyword by changing the part that specifies the search keyword in the attribute information with the algorithms described in the above embodiments.

In the above embodiments, a single key generation device 100 generates a decryption key. However, it is possible to arrange that a single decryption key is generated by a plurality of key generation devices 100 by combining the algorithms of the above embodiments with a multi-authority scheme discussed in Non-Patent Literature 3.

In the above embodiments, adding an attribute category (increasing the value of d in the attribute format n^(→)) requires that the public parameter be re-issued. However, it is possible to arrange that an attribute category can be added without re-issuing the public parameter by combining the algorithms of the above embodiments with an unbounded scheme discussed in Non-Patent Literature 4.

In the above embodiments, when the length of vectors used for inner-product encryption is defined as N, the size of the public parameter and the master secret key is proportional to N², and it takes time proportional to N² to generate or encrypt a decryption key to be given to a user. However, it is possible to reduce the size of the public parameter and the master secret key and reduce time necessary for generating and encrypting the decryption key to be given to the user by combining the algorithms of the above embodiments with a scheme discussed in Non-Patent Literature 5.

Embodiment 3

In the above embodiments, the methods for implementing the cryptographic processes in dual vector spaces have been described. In Embodiment 3, a method for implementing the cryptographic processes in dual modules will be described.

That is, in the above embodiments, the cryptographic processes are implemented in cyclic groups of prime order q. However, when a ring R is expressed using a composite number M as indicated in Formula 220, the cryptographic processes described in the above embodiments can be adapted to a module having the ring R as a coefficient.

:=

/M

  [Formula 220]

where

: integer, and M: composite number.

By changing F_(q) to R in the algorithms described in the above embodiments, the cryptographic processes in dual additive groups can be implemented.

From the view point of security proof, in the above embodiments, ρ(i) for each integer i=1, . . . , L may be limited to a positive tuple (t, v^(→)) or negative tuple

(t, v^(→)) for respectively different identification information t.

In other words, when ρ(i)=(t, v^(→)) or ρ(i)=

(t, v^(→)), let a function ρ⁻ be map of ({1, . . . , L}→{1, . . . , d} such that ρ⁻(i)=t. In this case, ρ⁻ may be limited to injection. Note that ρ(i) is ρ(i) in the access structure S:=(M, ρ(i)) described above.

A hardware configuration of the cryptographic system 10 (the key generation device 100, the encryption device 200, the decryption device 300, the re-encryption device 400, and the re-encrypted ciphertext decryption device 500) according to the embodiments will now be described.

FIG. 30 is a diagram illustrating an example of a hardware configuration of the key generation device 100, the encryption device 200, the decryption device 300, the re-encryption device 400, and the re-encrypted ciphertext decryption device 500.

As illustrated in FIG. 30, each of the key generation device 100, the encryption device 200, the decryption device 300, the re-encryption device 400, and the re-encrypted ciphertext decryption device 500 includes the CPU 911 (also referred to as a Central Processing Unit, central processing device, processing device, arithmetic device, microprocessor, microcomputer, or processor) that executes programs. The CPU 911 is connected via a bus 912 to the ROM 913, the RAM 914, an LCD 901 (Liquid Crystal Display), the keyboard 902 (K/B), the communication board 915, and the magnetic disk device 920, and controls these hardware devices. In place of the magnetic disk device 920 (fixed disk device), a storage device such as an optical disk device or memory card read/write device may be employed. The magnetic disk device 920 is connected via a predetermined fixed disk interface.

The ROM 913 and the magnetic disk device 920 are examples of a nonvolatile memory. The RAM 914 is an example of a volatile memory. The ROM 913, the RAM 914, and the magnetic disk device 920 are examples of a storage device (memory). The keyboard 902 and the communication board 915 are examples of an input device. The keyboard 902 is an example of a communication device. The LCD 901 is an example of a display device.

The magnetic disk device 920, the ROM 913, or the like stores an operating system 921 (OS), a window system 922, programs 923, and files 924. The programs 923 are executed by the CPU 911, the operating system 921, and the window system 922.

The programs 923 store software and programs that execute the functions described in the above description as the “master key generation part 110”, the “master key storage part 120”, the “information input part 130”, the “decryption key generation part 140”, the “key transmission part 150”, the “public parameter receiving part 210”, the “information input part 220”, the “signature processing part 230”, the “encryption part 240”, the “ciphertext transmission part 250”, the “decryption key receiving part 310”, the “information input part 320”, the “re-encryption key generation part 330”, the “re-encryption key transmission part 340”, the “ciphertext receiving part 350”, the “verification part 360”, the “complementary coefficient computation part 370”, the “pairing operation part 380”, the “message computation part 390”, the “public parameter receiving part 410”, the “ciphertext receiving part 420”, the “re-encryption key receiving part 430”, the “verification part 440”, the “encryption part 450”, the “re-encrypted ciphertext transmission part 460”, the “decryption key receiving part 510”, the “ciphertext receiving part 520”, the “span program computation part 530”, the “complementary coefficient computation part 540”, the “conversion information generation part 550”, the “conversion part 560”, the “pairing operation part 570”, the “message computation part 580”, and the like. The programs 923 store other programs as well. The programs are read and executed by the CPU 911.

The files 924 store information, data, signal values, variable values, and parameters such as the “public parameter pk”, the “master secret key sk”, the “decryption keys sk_(S) and sk_(Γ)”, the “ciphertexts ct_(Γ) and ct_(S)”, the “re-encryption keys rk_((Γ,S′)) and rk_((S,Γ′)),”, the “re-encrypted ciphertexts CT_(S′) and CT_(Γ),”, the “access structures S and S′”, the “attribute sets Γ and Γ′”, and the “message m” in the above description, as the items of a “file” and “database”. The “file” and “database” are stored in a recording medium such as a disk or memory. The information, data, signal values, variable values, and parameters stored in the recording medium such as the disk or memory are read out to the main memory or cache memory by the CPU 911 through a read/write circuit, and are used for operations of the CPU 911 such as extraction, search, look-up, comparison, calculation, computation, processing, output, printing, and display. The information, data, signal values, variable values, and parameters are temporarily stored in the main memory, cache memory, or buffer memory during the operations of the CPU 911 including extraction, search, look-up, comparison, calculation, computation, processing, output, printing, and display.

The arrows in the flowcharts in the above description mainly indicate input/output of data and signals. The data and signal values are stored in the memory of the RAM 914, the recording medium such as an optical disk, or in an IC chip. The data and signals are transmitted online via a transmission medium such as the bus 912, signal lines, or cables, or via electric waves.

What is described as a “part” in the above description may be a “circuit”, “device”, “equipment”, “means”, or “function”, and may also be a “step”, “procedure”, or “process”. What is described as a “device” may be a “circuit”, “equipment”, “means”, or “function”, and may also be a “step”, “procedure”, or “process”. What is described as a “process” may be a “step”. In other words, what is described as a “part” may be realized by firmware stored in the ROM 913. Alternatively, what is described as a “part” may be implemented solely by software, or solely by hardware such as an element, a device, a substrate, or a wiring line, or by a combination of software and firmware, or by a combination including firmware. The firmware and software are stored as programs in the recording medium such as the ROM 913. The programs are read by the CPU 911 and are executed by the CPU 911. That is, each program causes the computer or the like to function as each “part” described above. Alternatively, each program causes the computer or the like to execute a procedure or a method of each “part” described above.

REFERENCE SIGNS LIST

-   -   100: key generation device, 110: master key generation part,         120: master key storage part, 130: information input part, 140:         decryption key generation part, 141: CP-FE key generation part,         142: random number generation part, 143: decryption key         k*generation part, 144: KP-FE key generation part, 145: f vector         generation part, 146: s vector generation part, 150: key         transmission part, 200: encryption device, 210: public parameter         receiving part, 220: information input part, 230: signature         processing part, 240: encryption part, 241: f vector generation         part, 242: s vector generation part, 243: random number         generation part, 244: ciphertext c^(enc) generation part, 250:         ciphertext transmission part, 300: decryption device, 310:         decryption key receiving part, 320: information input part, 330:         re-encryption key generation part, 331: random number generation         part, 332: conversion information W₁ generation part, 333:         conversion information W₁ encryption part, 334: decryption key         k*^(rk) generation part, 335: conversion part, 336: f vector         generation part, 337: s vector generation part, 340:         re-encryption key transmission part, 350: ciphertext receiving         part, 360: verification part, 361: span program computation         part, 362: signature verification part, 370: complementary         coefficient computation part, 380: pairing operation part, 390:         message computation part, 400: re-encryption device, 410: public         parameter receiving part, 420: ciphertext receiving part, 430:         re-encryption key receiving part, 440: verification part, 441:         span program computation part, 442: signature verification part,         450: encryption part, 451: random number generation part, 452: f         vector generation part, 453: s vector generation part, 454:         conversion information W₂ generation part, 455: conversion         information W₂ encryption part, 456: ciphertext c^(renc)         generation part, 457: decryption key k*^(renc) generation part,         460: re-encrypted ciphertext transmission part, 500:         re-encrypted ciphertext decryption device, 510: decryption key         receiving part, 520: ciphertext receiving part, 530: span         program computation part, 540: complementary coefficient         computation part, 550: conversion information generation part,         560: conversion part, 570: pairing operation part, 580: message         computation part 

1. A cryptographic system that implements a proxy re-encryption function in a cryptographic scheme according to which when two pieces of information correspond to each other, a ciphertext in which is set one of the two pieces of information can be decrypted with a decryption key in which is set the other one of the two pieces of information, the cryptographic system comprising a re-encryption key generation device and a re-encryption device, wherein the re-encryption key generation device includes a decryption key k*^(rk) generation part that generates a decryption key k*^(rk) by converting, using conversion information W₁, a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other; a conversion information W₁ encryption part that generates encrypted conversion information ψ^(rk) by encrypting the conversion information W₁ with one of attribute information x′ and attribute information v′ corresponding to each other being set; and a re-encryption key transmission part that transmits to the re-encryption device the decryption key k*^(rk) and the encrypted conversion information ψ^(rk), as a re-encryption key rk; and wherein the re-encryption device includes a ciphertext receiving part that receives a ciphertext c^(enc) in which is set the other one of the attribute information x and the attribute information v; a ciphertext c^(renc) generation part that generates a ciphertext c^(renc) by setting at least one of additional information H and additional information Θ corresponding to each other in the ciphertext c^(enc) received by the ciphertext receiving part; a decryption key k*^(renc) generation part that generates a decryption key k*^(renc) by setting at least the other one of the additional information H and the additional information Θ in the decryption key k*^(rk) included in the re-encryption key rk; and a re-encrypted ciphertext transmission part that transmits the ciphertext c^(renc), the decryption key k*^(renc), and the encrypted conversion information ψ^(rk), as a re-encrypted ciphertext CT.
 2. The cryptographic system according to claim 1, wherein the ciphertext c^(renc) generation part generates the ciphertext c^(renc) by converting the ciphertext C^(enc) using conversion information W₂, wherein the re-encryption device further includes a conversion information W₂ encryption part that generates encrypted conversion information ψ^(renc) by encrypting the conversion information W₂ using the one of the attribute information x′ and the attribute information v′, and wherein the re-encrypted ciphertext transmission part transmits the ciphertext c^(renc), the decryption key k*^(renc), the encrypted conversion information ψ^(rk), and the encrypted conversion information ψ^(renc), as the re-encrypted ciphertext CT.
 3. The cryptographic system according to claim 2, wherein the ciphertext receiving part receives the ciphertext c^(enc) in which is set a verification key verk for verifying a signature which is attached with a signature key sigk, a signature Sig which is attached to the ciphertext c^(enc) with the signature key sigk, and the verification key verk, and wherein the ciphertext c^(renc) generation part generates the ciphertext c^(renc) by setting the verification key verk in the ciphertext c^(enc) as the one of the additional information H and the additional information Θ.
 4. The cryptographic system according to claim 3, further comprising a re-encrypted ciphertext decryption device, wherein the re-encrypted ciphertext transmission part transmits the re-encrypted ciphertext CT to the re-encrypted ciphertext decryption device, wherein the re-encrypted ciphertext decryption device includes a decryption key receiving part that receives a decryption key k*′ which is generated using the other one of the attribute information x′ and the attribute information v′; a conversion information generation part that generates the conversion information W₁ by decrypting the encrypted conversion information ψ^(rk) with the decryption key k*′ received by the decryption key receiving part, and generates the conversion information W₂ by decrypting the encrypted conversion information ψ^(rk) with the decryption key k*′; a conversion part that generates a decryption key k*^(˜) by converting the decryption key k*^(renc) with the conversion information W₁, and generates a ciphertext c^(enc˜) by converting the ciphertext c^(renc) with the conversion information W₂; and a decryption part that decrypts the ciphertext c^(enc˜) with the decryption key k*^(˜) generated by the conversion part.
 5. The cryptographic system according to claim 4, wherein the decryption key k*^(rk) generation part generates the decryption key k*^(rk) including k*^(rk) ₀ and k*^(rk) _(t) indicated in Formula 2 from the decryption key k*₀ including k*₀ and k*_(t) indicated in Formula 1, wherein the ciphertext receiving part receives the ciphertext c^(enc) including c^(enc) ₀, c^(enc) _(i), and c^(enc) _(d+1) indicated in Formula 3, wherein the ciphertext c^(renc) generation part generates the ciphertext c^(renc) including c^(renc) ₀, c^(renc) _(i), and c^(renc) _(d+1) indicated in Formula 4, wherein the decryption key k*^(renc) generation part generates the decryption key k*^(renc) including k*^(renc) ₀ and k*^(renc) _(t) indicated in Formula 5, wherein the conversion part generates k*^(˜) and c^(˜) ₀ indicated in Formula 6, and wherein the decryption part computes a message m indicated in Formula 7, $\begin{matrix} {\mspace{79mu} {{{k_{0}^{*}:=\left( {1,\delta,0,0} \right)_{B_{0}^{*}}},\mspace{20mu} {k_{t}^{*}:=\left( \overset{\overset{n_{t}}{}}{\delta \; {\overset{\rightarrow}{x}}_{t}} \right)_{B_{0}^{*}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu} {where}\mspace{20mu} {{\delta \overset{U}{}F_{q}},\mspace{20mu} {\Gamma = \left( {\left\{ {\left( {t,{\overset{\rightarrow}{x}}_{t}} \right),{1 \leq t \leq d}} \right\},\mspace{20mu} {{\overset{\rightarrow}{x}}_{t}:=\left( {x_{t{.1}},\ldots \mspace{14mu},x_{t.n_{t}}} \right)},\mspace{20mu} {n_{t}\mspace{14mu} {is}\mspace{14mu} {an}\mspace{14mu} {integer}\mspace{14mu} {of}\mspace{14mu} 1\mspace{14mu} {or}\mspace{14mu} {more}},{{and}\mspace{20mu} d\mspace{14mu} {is}\mspace{14mu} {an}\mspace{14mu} {integer}\mspace{14mu} {of}\mspace{14mu} 1\mspace{14mu} {or}\mspace{14mu} {more}},} \right.}}}} & \left\lbrack {{Formula}\mspace{14mu} 1} \right\rbrack \\ {\mspace{79mu} {{{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,\delta^{\prime},0,0} \right)_{B_{0}^{*}}} \right)W_{1}}},\mspace{20mu} {k_{t}^{*{rk}}:={k_{t}^{*} + \left( \overset{\overset{n_{t}}{}}{\delta^{\prime}\; {\overset{\rightarrow}{x}}_{t}} \right)_{B_{0}^{*}}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu} {where}\mspace{20mu} {\delta^{\prime}\overset{U}{}F_{q}}}} & \left\lbrack {{Formula}\mspace{14mu} 2} \right\rbrack \\ {\mspace{79mu} {{{c_{0}^{enc}:=\left( {\zeta,{- s_{0}},{\rho \left( {{verk},1} \right)}} \right)_{B_{0}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}\mspace{20mu} {{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right)}} \right)},\mspace{20mu} {c_{i}^{enc}:=\left( \overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}} \right)_{B_{t}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {c_{i}^{enc}:=\left( \overset{\overset{n_{t}}{}}{s_{i}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{t}}},\mspace{20mu} {c_{d + 1}^{enc} = {m \cdot g_{T}^{\zeta}}}}\mspace{20mu} {where}\mspace{20mu} {{\overset{\rightarrow}{f}\overset{U}{}F_{q}^{r}},\mspace{79mu} {{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\mspace{20mu} {s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu} \rho,\zeta,{\theta_{i}\overset{U}{}F_{q}},\mspace{20mu} {M\mspace{14mu} {is}\mspace{14mu} a\mspace{14mu} {matrix}\mspace{14mu} {with}\mspace{14mu} L{\mspace{11mu} \;}{rows}\mspace{14mu} {and}\mspace{14mu} r\mspace{14mu} {columns}},}}} & \left\lbrack {{Formula}\mspace{14mu} 3} \right\rbrack \\ {\mspace{79mu} {{c_{0}^{renc}:={\left( {c_{0}^{enc} + \left( {\zeta^{\prime},{- s_{0}^{\prime}},{\rho^{\prime}\left( {{verk},1} \right)}} \right)_{B_{0}}} \right)W_{2}}}\mspace{20mu} {{{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}\mspace{20mu} {{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mspace{20mu} {c_{i}^{enc}:={c_{i}^{enc} + \left( \overset{\overset{n_{t}}{}}{{s_{i}^{\prime}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}}} \right)_{B_{t}}}},\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {c_{i}^{renc}:={c_{i}^{enc} + \left( \overset{\overset{n_{t}}{}}{s_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{t}}}},\mspace{20mu} {c_{d + 1}^{renc} = {c_{d + 1}^{enc} \cdot g_{T}^{\zeta^{\prime}}}}}\mspace{20mu} {where}\mspace{20mu} {{{\overset{\rightarrow}{f}}^{\prime}\overset{R}{}F_{q}^{r}},\mspace{20mu} {{\overset{\rightarrow}{s}}^{\prime \; T}:={\left( {s_{1}^{\prime},\ldots \mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}}},\mspace{20mu} {s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}},\mspace{20mu} \rho^{\prime},\zeta^{\prime},{\theta_{i}^{\prime}\overset{U}{}F_{q}}}}} & \left\lbrack {{Formula}\mspace{14mu} 4} \right\rbrack \\ {\mspace{79mu} {{{k_{0}^{*{renc}}:={k_{0}^{*{rk}} + \left( {0,\delta^{''},{\sigma \left( {{- 1},{verk}} \right)}} \right)_{D_{0}^{*}}}},\mspace{20mu} {k_{t}^{*{renc}}:={k_{t}^{*{rk}} + \left( \overset{\overset{n_{t}}{}}{\delta^{''}\; {\overset{\rightarrow}{x}}_{t}} \right)_{B_{0}^{*}}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu} {where}\mspace{20mu} {\delta^{''},{\sigma \overset{U}{}F_{q}},\mspace{20mu} {D_{0}^{*}:={B_{0}^{*}W_{1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 5} \right\rbrack \\ {\mspace{79mu} {{{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}W_{1}^{- 1}}},\mspace{20mu} {{\overset{\sim}{c}}_{0}:={c_{0}^{renc}W_{2}^{- 1}}}}\mspace{20mu} {{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},\mspace{20mu} {{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 6} \right\rbrack \\ {{\overset{\sim}{K}:={e{\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right) \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}}\mspace{20mu} {m:={c_{d + 1}^{enc}/\overset{\sim}{K}}}\; \mspace{20mu} {where}\mspace{20mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}\mspace{20mu} {{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M}}}},{{{and}\mspace{14mu} I} \subseteq \begin{Bmatrix} \left. {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \right| \\ {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \\ {\quad\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \end{Bmatrix}},}} & \left\lbrack {{Formula}\mspace{14mu} 7} \right\rbrack \end{matrix}$
 6. The cryptographic system according to claim 4, wherein the decryption key k*^(rk) generation part generates the decryption key k*^(rk) including k*^(rk) ₀ and k*^(rk) _(i) indicated in Formula 9 from the decryption key k* including k*₀ and k*_(i) indicated in Formula 8, wherein the ciphertext receiving part receives the ciphertext c^(enc) including c^(enc) ₀, c^(enc) _(t), and c^(enc) _(d+1) indicated in Formula 10, wherein the ciphertext c^(renc) generation part generates the ciphertext c^(renc) including c^(renc) ₀, c^(renc) _(t), and c^(renc) _(d+1) indicated in Formula 11, wherein the decryption key k*^(renc) generation part generates the decryption key k*^(renc) including k*^(renc) ₀ and k*^(renc) _(i) indicated in Formula 12, wherein the conversion part generates k*^(˜) ₀ and c^(˜) ₀ indicated in Formula 13, and wherein the decryption part computes a message m indicated in Formula 14, $\begin{matrix} {\mspace{79mu} {{{k_{0}^{*}:=\left( {1,s_{0},0,0} \right)_{B_{0}^{*}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L}}\mspace{20mu} {{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{{\overset{\rightarrow}{v}}_{i}:=\left( {v_{i{.1}},\ldots \mspace{14mu},v_{i.n_{t}}} \right)}} \right)},\mspace{20mu} {k_{i}^{*}:=\left( \overset{\overset{n_{t}}{}}{{s_{i}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}{\overset{\rightarrow}{v}}_{i}}} \right)_{B_{t}}},\mspace{79mu} {{{if}\mspace{14mu} \rho (i)} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu} {k_{i}^{*}:=\left( \overset{\overset{n_{t}}{}}{s_{i}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{0}^{*}}}}\mspace{20mu} {where}\mspace{20mu} {{\theta_{i}\overset{U}{}F_{q}},\mspace{20mu} {{\overset{\rightarrow}{f}}_{t}\overset{U}{}F_{q}^{r}},\mspace{85mu} {{\overset{\rightarrow}{s}}^{T}:={\left( {s_{1},\ldots \mspace{14mu},s_{L}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{T}}}},\mspace{20mu} {s_{0}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{T}}},\mspace{20mu} {M\mspace{14mu} {is}\mspace{14mu} a\mspace{14mu} {matrix}\mspace{14mu} {with}\mspace{14mu} L{\mspace{11mu} \;}{rows}\mspace{14mu} {and}\mspace{14mu} r\mspace{14mu} {columns}},{and}}\mspace{20mu} {{n_{t}\mspace{14mu} {is}\mspace{14mu} {an}\mspace{14mu} {integer}\mspace{14mu} {of}\mspace{14mu} 1\mspace{14mu} {or}\mspace{14mu} {more}},}}} & \left\lbrack {{Formula}\mspace{14mu} 8} \right\rbrack \\ {\mspace{79mu} {{k_{0}^{*{rk}}:={\left( {k_{0}^{*} + \left( {0,{- s_{0}^{\prime}},0,0} \right)_{B_{0}^{*}}} \right)W_{1}}}\mspace{20mu} {{{{for}\mspace{14mu} i} = 1},{\ldots \mspace{14mu} L\mspace{20mu} {{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{20mu} {k_{i}^{*{rk}}:={k_{i}^{*}\left( \overset{\overset{n_{t}}{}}{{s_{i}^{\prime}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}}} \right)}_{B_{0}^{*}}},\mspace{79mu} {{{if}\mspace{14mu} \rho (i)} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu} {k_{i}^{*{rk}}:=\left( \overset{\overset{n_{t}}{}}{s_{i}^{\prime}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{0}^{*}}}}\mspace{20mu} {where}\mspace{20mu} {{\theta_{i}^{\prime}\overset{U}{}F_{q}},\mspace{20mu} {{\overset{\rightarrow}{f}}_{t}^{\prime}\overset{U}{}F_{q}^{r}},\mspace{85mu} {{\overset{\rightarrow}{s}}^{\prime \; T}:={\left( {s_{1}^{\prime},\ldots \mspace{14mu},s_{L}^{\prime}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}}},\mspace{20mu} {s_{0}^{\prime}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{\prime \; T}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 9} \right\rbrack \\ {\mspace{79mu} {{{c_{0}^{enc}:=\left( {\zeta,\delta,{\rho \left( {{verk},1} \right)}} \right)_{B_{0}}},\mspace{20mu} {c_{t}^{enc}:=\left( \overset{\overset{n_{t}}{}}{{\delta {\overset{\rightarrow}{x}}_{t}},} \right)_{B_{t}}},{{{for}\mspace{14mu} \left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in \Gamma}}\mspace{20mu} {c_{d + 1}^{enc} = {m \cdot g_{T}^{\zeta}}}\mspace{20mu} {where}\mspace{20mu} {\zeta,\delta,{\rho \overset{U}{}F_{q}},\mspace{20mu} {\Gamma = \left( {\left\{ {\left( {t,{\overset{\rightarrow}{x}}_{t}} \right),{1 \leq t \leq d}} \right\},\mspace{79mu} {d\mspace{14mu} {is}\mspace{14mu} {an}\mspace{14mu} {integer}\mspace{14mu} {of}\mspace{14mu} 1\mspace{14mu} {or}\mspace{14mu} {more}},} \right.}}}} & \left\lbrack {{Formula}\mspace{14mu} 10} \right\rbrack \\ {\mspace{79mu} {{{c_{0}^{renc}:={\left( {c_{0}^{enc} + \left( {\zeta^{\prime},{- \delta^{\prime}},{\rho^{\prime}\left( {{verk},1} \right)}} \right)_{B_{0}}} \right)W_{2}}},\mspace{20mu} {c_{t}^{renc}:={{c_{t}^{enc} + {\left( \overset{\overset{n_{t}}{}}{\delta^{\prime}{\overset{\rightarrow}{x}}_{t}} \right)_{B_{t}}\mspace{14mu} {for}\mspace{14mu} \left( {t,x_{t}} \right)}} \in \Gamma}},\mspace{20mu} {c_{d + 1}^{renc} = {c_{d + 1}^{enc} \cdot g_{T}^{\zeta^{\prime}}}}}\mspace{20mu} {where}\mspace{20mu} {\zeta^{\prime},\delta^{\prime},{\rho^{\prime}\overset{U}{}F_{q}}}}} & \left\lbrack {{Formula}\mspace{14mu} 11} \right\rbrack \\ {\mspace{79mu} {{{k_{0}^{*{renc}}:={k_{0}^{*{rk}} + \left( {0,{- s_{0}^{''}},{\sigma \left( {{- 1},{verk}} \right)}} \right)_{D_{0}^{*}}}},\mspace{20mu} {{{for}\mspace{14mu} i} = 1},\ldots \mspace{14mu},L}\mspace{20mu} {{{{if}\mspace{14mu} {\rho (i)}} = \left( {t,{\overset{\rightarrow}{v}}_{i}} \right)},\mspace{20mu} {k_{i}^{*{renc}}:={k_{i}^{*{rk}}\left( \overset{\overset{n_{t}}{}}{{s_{i}^{''}{\overset{\rightarrow}{e}}_{t{.1}}} + {\theta_{i}^{''}{\overset{\rightarrow}{v}}_{i}}} \right)}_{B_{0}^{*}}},\mspace{79mu} {{{if}\mspace{14mu} \rho (i)} = {\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)}},\mspace{79mu} {k_{i}^{*{renc}}:={k_{i}^{*{rk}} + \left( \overset{\overset{n_{t}}{}}{s_{i}^{''}{\overset{\rightarrow}{v}}_{i}} \right)_{B_{0}^{*}}}}}\mspace{20mu} {where}\mspace{20mu} {{{\overset{\rightarrow}{f}}^{''}\overset{R}{}F_{q}^{r}},\mspace{85mu} {{\overset{\rightarrow}{s}}^{''\; T}:={\left( {s_{1}^{''},\ldots \mspace{14mu},s_{L}^{''}} \right)^{T}:={M \cdot {\overset{\rightarrow}{f}}^{''\; T}}}},\mspace{20mu} {s_{0}^{''}:={\overset{\rightarrow}{1} \cdot {\overset{\rightarrow}{f}}^{''\; T}}},\mspace{20mu} \sigma,{\theta_{i}^{''}\overset{U}{}F_{q}}}}} & \left\lbrack {{Formula}\mspace{14mu} 12} \right\rbrack \\ {\mspace{79mu} {{{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}W_{1}^{- 1}}},\mspace{20mu} {{\overset{\sim}{c}}_{0}:={c_{0}^{renc}W_{2}^{- 1}}}}\mspace{20mu} {{{\overset{\sim}{k}}_{0}^{*}:={k_{0}^{*{renc}}{\overset{\sim}{W}}_{1}^{- 1}}},\mspace{20mu} {{\overset{\sim}{c}}_{0}:={c_{0}^{renc}{\overset{\sim}{W}}_{2}^{- 1}}}}}} & \left\lbrack {{Formula}\mspace{14mu} 13} \right\rbrack \\ {{\overset{\sim}{K}:={e{\left( {{\overset{\sim}{c}}_{0},{\overset{\sim}{k}}_{0}^{*}} \right) \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {({t,{\overset{\rightarrow}{v}}_{i}})}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i} \cdot {\prod\limits_{{i \in {I\bigwedge{\rho {(i)}}}} = {{({t,{\overset{\rightarrow}{v}}_{i}})}}}\; {{e\left( {c_{t}^{renc},k_{i}^{*{renc}}} \right)}{\alpha_{i}/\left( {{\overset{\rightarrow}{v}}_{i} \cdot {\overset{\rightarrow}{x}}_{t}} \right)}}}}}}}}}\mspace{20mu} {m:={c_{d + 1}^{enc}/\overset{\sim}{K}}}\; \mspace{20mu} {where}\mspace{20mu} {{\overset{\rightarrow}{1} = {\sum\limits_{i \in I}\; {\alpha_{i}M_{i}\mspace{20mu} {{where}\mspace{14mu} M_{i}\mspace{14mu} {is}\mspace{14mu} {the}\mspace{14mu} i\text{-}{th}\mspace{14mu} {row}\mspace{14mu} {of}\mspace{14mu} M}}}},{{{and}\mspace{14mu} I} \subseteq {\begin{Bmatrix} \left. {i \in \left\{ {1,\ldots \mspace{14mu},L} \right\}} \right| \\ {\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}}} = 0}} \right\rbrack\bigvee} \\ {\quad\left\lbrack {{\rho (i)} = {{{\left( {t,{\overset{\rightarrow}{v}}_{i}} \right)\bigwedge\left( {t,{\overset{\rightarrow}{x}}_{t}} \right)} \in {{{\Gamma\bigwedge{\overset{\rightarrow}{v}}_{i}} \cdot {\overset{\rightarrow}{x}}_{t}} \neq 0}}}} \right\rbrack} \end{Bmatrix}.}}}} & \left\lbrack {{Formula}\mspace{14mu} 14} \right\rbrack \end{matrix}$
 7. A re-encryption key generation device of a cryptographic system that implements a proxy re-encryption function in a cryptographic scheme according to which when two pieces of information correspond to each other, a ciphertext in which is set one of the two pieces of information can be decrypted with a decryption key in which is set the other one of the two pieces of information, the re-encryption key generation device comprising: a decryption key k*^(rk) generation part that generates a decryption key k*^(rk) by converting, using conversion information W₁, a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other; a conversion information W₁ encryption part that generates encrypted conversion information ψ^(rk) by encrypting the conversion information W₁ with one of attribute information x′ and attribute information v′ corresponding to each other being set; and a re-encryption key transmission part that transmits to a re-encryption device the decryption key k*^(rk) and the encrypted conversion information ψ^(rk), as a re-encryption key rk.
 8. A re-encryption device of a cryptographic system that implements a proxy re-encryption function in a cryptographic scheme according to which when two pieces of information correspond to each other, a ciphertext in which is set one of the two pieces of information can be decrypted with a decryption key in which is set the other one of the two pieces of information, the re-encryption device comprising: a re-encryption key receiving part that receives, as a re-encryption key rk, a decryption key k*^(rk) which is generated by converting, using conversion information W₁, a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other, and encrypted conversion information ψ^(rk) which is generated by encrypting the conversion information W₁ with one of attribute information x′ and attribute information v′ corresponding to each other being set; a ciphertext receiving part that receives a ciphertext c^(enc) in which is set the other one of the attribute information x and the attribute information v; a ciphertext c^(renc) generation part that generates a ciphertext c^(renc) by setting at least one of additional information H and additional information Θ corresponding to each other in the ciphertext c^(enc) received by the ciphertext receiving part; a decryption key k*^(renc) generation part that generates a decryption key k*^(renc) by setting at least the other one of the additional information H and the additional information Θ in the decryption key k*^(rk) included in the re-encryption key rk; and a re-encrypted ciphertext transmission part that transmits the ciphertext c^(renc), the decryption key k*^(renc), and the encrypted conversion information ψ^(rk), as a re-encrypted ciphertext CT.
 9. A cryptographic method for implementing a proxy re-encryption function in a cryptographic scheme according to which when two pieces of information correspond to each other, a ciphertext in which is set one of the two pieces of information can be decrypted with a decryption key in which is set the other one of the two pieces of information, the cryptographic method comprising: generating a decryption key k*^(rk) by converting, using conversion information W₁, a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other, by a re-encryption key generation device; generating encrypted conversion information ψ^(rk) by encrypting the conversion information W₁ with one of attribute information x′ and attribute information v′ corresponding to each other being set, by the re-encryption key generation device; transmitting to a re-encryption device the decryption key k*^(rk) and the encrypted conversion information ψ^(rk), as a re-encryption key rk, by the re-encrypted key generation device; receiving step of receiving a ciphertext c^(enc) in which is set the other one of the attribute information x and the attribute information v, by the re-encryption device; generating a ciphertext c^(renc) by setting at least one of additional information H and additional information Θ corresponding to each other in the ciphertext c^(enc), by the re-encryption device; generating a decryption key k*^(renc) by setting at least the other one of the additional information H and the additional information Θ in the decryption key k*^(rk) included in the re-encryption key rk, by the re-encryption device; and transmitting the ciphertext c^(renc), the decryption key k*^(renc), and the encrypted conversion information ψ^(rk), as a re-encrypted ciphertext CT, by the re-encryption device.
 10. A cryptographic program that implements a proxy re-encryption function in a cryptographic scheme according to which when two pieces of information correspond to each other, a ciphertext in which is set one of the two pieces of information can be decrypted with a decryption key in which is set the other one of the two pieces of information, the cryptographic program comprising a re-encryption key generation program and a re-encryption program, the re-encryption key generation program causing a computer to execute a decryption key k*^(rk) generation process of generating a decryption key k*^(rk) by converting, using conversion information W₁, a decryption key k* in which is set one of attribute information x and attribute information v corresponding to each other; a conversion information W₁ encryption process of generating encrypted conversion information ψ^(rk) by encrypting the conversion information W₁ with one of attribute information x′ and attribute information v′ corresponding to each other being set; and a re-encryption key transmission process of transmitting to the re-encryption program the decryption key k*^(rk) and the encrypted conversion information ψ^(rk), as a re-encryption key rk, the re-encryption program causing a computer to execute a ciphertext receiving process of receiving a ciphertext c^(enc) in which is set the other one of the attribute information x and the attribute information v; a ciphertext c^(renc) generation process of generating a ciphertext c^(renc) by setting at least one of additional information H and additional information Θ corresponding to each other in the ciphertext c^(enc) received in the ciphertext receiving process; a decryption key k*^(renc) generation step of generating a decryption key k*^(renc) by setting at least the other one of the additional information H and the additional information Θ in the decryption key k*^(rk) included in the re-encryption key rk; and a re-encrypted ciphertext transmission process of transmitting the ciphertext c^(renc), the decryption key k*^(renc), and the encrypted conversion information ψ^(rk), as a re-encrypted ciphertext CT. 